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51 5203 FORWARD??? (5N) REQUEST? ? 

52 1194 9677 CLIENT? ? OR NODE? ? OR TERMINAL? ? OR PC OR PCS OR COMPUT- 

ER? ? OR WORK () STATION? ? OR WORKSTATION? ? OR SERVER? ? OR D- 
EVICE? ? OR UNIT? ? 

53 248173 S2(5N) (AUTHENTICAT? OR VERIF? OR VALIDAT? OR AUTHORIZ? OR - 
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OR PRIVILEGE? ? OR CREDENTIAL? ?) 

54 101832 (RESTRICT? OR PREVENT? OR INHIBIT? OR BLOCK??? OR PROHIBIT? 

OR FORBID? OR BAR? ? OR BARR???) (5N) (ACCESS? OR RETRIEV?) 

55 72 S1(S)S3 

56 48 RD (unique items) 

57 28 S6 NOT PD>19990625 

58 1291682 INTERMEDIATE (3N) (CLIENT? ? OR NODE? ? OR TERMINAL? ? OR PC 
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SERVER? ? OR DEVICE? ? OR UNIT? ?) OR INTERMEDIARY OR MEDIARY 
OR GATEWAY OR HUB OR PROXY OR AGENT 

59 3622 S8 (5N) REQUEST? ?(5N) (SEND??? OR SENT OR FORWARD??? OR TRAN- 

SFER? OR CONVEY? OR TRANSMIT? OR TRANSMISSION? OR DELIVER? OR 
COMMUNICAT? OR PROVID? OR REDIRECT? OR DIRECT? OR DELEGAT? OR 
RELAY?) 

510 71 S3(S)S9 

511 51 RD (unique items) 

512 31 Sll NOT PD>19990625 

513 18519 S2 (5N) REQUEST? ?(5N) (SEND??? OR SENT OR FORWARD??? OR TRAN- 

SFER? OR CONVEY? OR TRANSMIT? OR TRANSMISSION? OR DELIVER? OR 
COMMUNICAT? OR PROVID? OR REDIRECT? OR DIRECT? OR DELEGAT? OR 
RELAY?) 

514 12 S13(S)S3(S)S4 

515 7 RD (unique items) 



7/3, K/l (Item 1 from file: 275) 

DIALOG (R) File 275:Gale Group Computer DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

02254045 SUPPLIER NUMBER: 21270693 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

Build reliable and scalable N-tier applications that run on both Windows NT 

and Unix, (includes related articles on Windows NT security and UNIX) . 

(Technology Information) 

Tomsen, Mai-Ian 

Microsoft Systems Journal, vl3, nl2, p33(9) 
Dec, 1998 

ISSN: 088 9-9932 LANGUAGE: English RECORD TYPE: Fulltext; Abstract 

WORD COUNT: 54 76 LINE COUNT: 00517 

... do for COM on Windows NT. COM on Unix just routes the 

authentication requests back to the domain controller on Windows NT. The 
passthrough system ( forwarding authentication requests between the 
server on Unix and the domain controller on Windows NT) is opaque to the 
client . 

The Windows NT domain controller, the client, and the server all... 

. . . DCOM, as usual). The server application (on Unix) hosts the NTLM 
passthrough security system and negotiates with the Windows NT domain 
controller, which performs the authentication . 

When a client requests authentication , the server uses a 
component called the NTLM Security Support Provider (SSP) to authenticate 
the client . The SSP negotiates the authentication level and calls 
another component called the Local Security Authority (LSA) to 
authenticate the client . Since the LSA runs only on Windows NT, the 
calls are forwarded to the Private Authentication Layer Daemon (PAULAD) 
that Microsoft provides as part of the COM sources. The PAULAD service 
forwards the request to the Windows NT domain controller by calling the 
Private Authentication Layer Service (PAULAS) on the domain controller. The 

forwarded request is sent over an encrypted RPC channel. The PAULAS 
service on the Windows NT domain controller processes login or 
challenge/response requests, and routes the. . . 



7/3,K/2 (Item 2 from file: 275) 

DIALOG (R) File 275: Gale Group Computer DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

02233326 SUPPLIER NUMBER: 53137286 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

New show on the cable. (Company Business and Marketing) 

Communications News, 30 
Oct 1, 1998 

ISSN: 0010-3632 LANGUAGE: English RECORD TYPE: Fulltext 

WORD COUNT: 1784 LINE COUNT: 00147 

. . . the same services (albeit at normal dial-in speeds of 56k and 

below) . 

Subscribers use a normal dial-up connection to a national ISP that 
forwards (or proxies) the access requests to the remote access 
management server running at MediaOne. The server only permits 
connections from users who have signed up to use the f dial roaming' 
service, enabling MediaOne to offer roaming as an add-on, for-cost service 



7/3, K/3 (Item 3 from file: 275) 

DIALOG (R) File 275: Gale Group Computer DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

02128135 SUPPLIER NUMBER: 20086399 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

Bolstering RADIUS. (Funk Software's Steel -Bel ted Radius 1.5 server 
software) (Product Announcement) (Brief Article) 

Berinato, Scott 

PC Week, vl4, n52, p20(l) 



Dec 15, 1997 

DOCUMENT TYPE: Product Announcement Brief Article ISSN: 0740-1604 

LANGUAGE: English RECORD TYPE: Fulltext 

WORD COUNT: 307 LINE COUNT: 00027 

. . . outsourcing the remote access equipment to an ISP. 

With Proxy RADIUS, a remote user dials in to a local point of 
presence, where that RADIUS server forwards the authentication 
request to the corporate RADIUS server . 

SBR Version 1.5 authenticates users against central directories, 
such as Novell Directory Services, so administrators don't have to keep 
multiple directories for the same user. For layered protection. . . 



7/3,K/4 (Item 4 from file: 275) 

DIALOG (R) File 275: Gale Group Computer DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

02111891 SUPPLIER NUMBER: 19909123 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

TACACS, RADIUS secure servers, (terminal access controller access control 
system, remote authentication dial -in user service; security protocols) 
(includes related article on Cisco Systems* Web site) (Technology 
Information) 

Dutcher, William 

PC Week, vl4, n44, pl51(2) 

Oct 20, 1997 

ISSN: 0740-1604 LANGUAGE: English RECORD TYPE: Fulltext; Abstract 

WORD COUNT: 1655 LINE COUNT: 00136 

... A remote user interacts only with the remote access server, not the 

back-end server. 

When a user dials in, the access server starts a client process, 
sending an authentication request over the network to its primary RADIUS 
server, which has been configured by the access server administrator. The 
administrator also may designate a secondary server, to which the access 
server can direct authentication requests if the primary RADIUS server 

fails to respond. Some RADIUS implementations allow for a RADIUS proxy 
server , which automatically forwards authentication requests to 
another RADIUS server if it can't authenticate a user. 

Implementation varies by vendor, but the RADIUS server usually has 
three main files. These include a database of users who may request 
authentication. . . 



7/3,K/5 (Item 5 from file: 275) 

DIALOG (R) File 275: Gale Group Computer DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

02089932 SUPPLIER NUMBER: 19670948 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

Reining in remote access; RADIUS and TACACS compete to bring better control 
over dial-up access . (Buyers Guide) 

Dutcher, William 

PC Week, vl4, n34, p83{5) 

August 11, 1997 

DOCUMENT TYPE: Buyers Guide ISSN: 0740-1604 LANGUAGE: English 

RECORD TYPE: Fulltext; Abstract 

WORD COUNT: 1707 LINE COUNT: 00140 

... TACACS, Livingston developed RADIUS. Although both are 

client/server, request-response systems, an access server that uses RADIUS 
only encrypts the user's password before forwarding the authentication 
request to a RADIUS server . Like TACACS+, it also provides a mechanism 
for usage accounting. 

RADIUS has achieved wider acceptance among RAS system vendors, partly 
because RADIUS server software is... 
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(Item 6 from file: 275) 



DIALOG (R) File 275:Gale Group Computer DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

01621574 SUPPLIER NUMBER: 144 63626 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

Unix or Windows? A question of scale, (scalability of network management 
software based on the Unix operating system and Microsoft Corp. ' s 
Microsoft Windows graphical user interface) (includes related articles on 
features of scalable network management platforms and on Simple Network 
Management Protocol) (Network Edition) (Buyers Guide) 

Huntington-Lee, Jill 

PC Magazine, vl2, nl9, pNEl(ll) 

Nov 9, 1993 

DOCUMENT TYPE: Buyers Guide ISSN: 0888-8507 LANGUAGE: ENGLISH 

RECORD TYPE: FULLTEXT; ABSTRACT 

WORD COUNT: 5303 LINE COUNT: 004 30 

... to a server or a proxy agent. A proxy agent is a special management 

agent that receives requests from a management station, polls the relevant 
devices for the right information, processes those requests , and then 
forwards the results to the management station. To save the network 
manager time, the polling mechanism should allow the manager to configure a 
poll for groups... 

7/3, K/7 (Item 1 from file: 636) 

DIALOG (R) File 636: Gale Group Newsletter DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

03905743 Supplier Number: 50096574 (USE FORMAT 7 FOR FULLTEXT) 
BAY SECURE ACCESS CONTROL V2 . 1 FOR UNIX/ SOLARI S DEBUTS 

UNIX Update, v9, n7, pN/A 
July 1, 1998 

Language: English Record Type: Fulltext 
Document Type: Newsletter; Trade 
Word Count: 928 

. . . by the subscriber. 

Additionally, BSAC V2 . 1 comes equipped to offer added flexibility via 
its RADIUS Proxy support that allows service providers the ability to 
forward authentication requests to remote RADIUS servers . Proxy 
RADIUS support allows service providers the ability to deploy BSAC in each 
one of its POPs for integration into a remote centralized server that... 



7/3, K/8 (Item 2 from file: 636) 

DIALOG (R) File 636: Gale Group Newsletter DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

03886164 Supplier Number: 48494451 (USE FORMAT 7 FOR FULLTEXT) 
BAY NETWORKS: Bay Networks introduces BaySecure Access Control (BSAC) V2 . 1 
for UNIX/Solaris 

M2 Presswire, pN/A 
May 25, 1998 

Language: English Record Type: Fulltext 
Document Type: Newswire; Trade 
Word Count: 1114 

. . . by the subscriber. 

Additionally, BSAC V2 . 1 comes equipped to offer added flexibility via 
its RADIUS Proxy support that allows service providers the ability to 
forward authentication requests to remote RADIUS servers . Proxy 
RADIUS support allows service providers the ability to deploy BSAC in each 
one of its POPs for integration into a remote centralized server that... 
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DIALOG (R) File 636: Gale Group Newsletter DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 



03760665 Supplier Number: 48138014 ( USE FORMAT 7 FOR FULLTEXT) 
QUZA: Quza launches total e-commerce solution for merchants 

M2 Presswire, pN/A 
Nov 24, 1997 

Language: English Record Type: Fulltext 
Document Type: Newswire; Trade 
Word Count: 7 64 

server receives the payment information, decodes it and passes the 
authorisation request to the acquiring bank over private dedicated lines. 

The merchant's acquiring bank forwards the request to the bank 
that issued the card, or card association, through standard banking 
electronic channels. If the transaction is approved, the approval code is 
sent back to the QuzaClear server . The QuzaClear server forwards the 
approval or denial back to the merchant's server which informs the 
customer that the transaction is complete. 

There are firewalls securing both the merchant to. . . 



7/3,K/10 (Item 4 from file: 636) 

DIALOG (R) File 636: Gale Group Newsletter DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

03608254 Supplier Number: 47470379 (USE FORMAT 7 FOR FULLTEXT) 
PEAPOD GROUP: Internet and e-mail bills to fall by up to 95% 

M2 Presswire, pN/A 
June 17, 1997 

Language: English Record Type: Fulltext 
Document Type: Newswire; Trade 
Word Count: 64 7 

. . . checks whether the user is an i-pass customer (i-pass servers are 

located all over the world) 

If the customer is recognised, i-pass forwards the request to the 
user's corporate authentication server where it is checked again 

If the server recognises the user, validation of the request is sent 
back to the original, local ISP and the... 



7/3,K/ll (Item 5 from file: 636) 

DIALOG (R) File 636: Gale Group Newsletter DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

0274 6397 Supplier Number: 45573473 (USE FORMAT 7 FOR FULLTEXT) 
NEWS AND NOTES 

Health Industry Today, v58, n6, pN/A 
June, 1995 

Language: English Record Type: Fulltext 
Document Type: Newsletter; Professional Trade 
Word Count: 1714 

(USE FORMAT 7 FOR FULLTEXT) 
TEXT: 

...discontinued operations as it completes the end of its three -year 
funding cycle. HIMA, the Health Industry Manufacturers Assn., is now 
distributing HCTI reports. Fax requests should be forwarded to Jeannine 
Washington at 202-783-8750. Staar Surgical Co., Monrovia, Calif., received 
FDA clearance for its ultraviolet-absorbing material for use in intraocular 
lenses . . . 

...the initial product of Abiomed's cardiovascular division. In November 
1992, it became the first such device to receive FDA clearance and is the 
only approved device capable of supporting both the right and left 
sides of a failing heart. BVS-5000 has been installed in more than 100 U.S. 
hospitals. Irving Levin Assoc., Inc., New Caanan . . . 



7/3,K/12 (Item 1 from file: 16) 

DIALOG (R) File 16: Gale Group PROMT (R) 

(c) 2003 The Gale Group. All rts. reserv. 

06023573 Supplier Number: 53444832 (USE FORMAT 7 FOR FULLTEXT) 
Light at the end of the VPN tunnel. 
Global Telephony, nl067-6317, pNA 
Dec, 1998 

Language: English Record Type: Fulltext 
Document Type: Magazine/ Journal; Trade 
Word Count: 102 

Step 2: The server at the local ISP sends the authentication request 
to the SingNet, which forwards the request to the corporate server 
for authentication located at the user's company. 

Step 3: SingNet sends the access authorization message back to the 
local ISP, which then provides the connection. 

Step. . . 



7/3,K/13 (Item 2 from file: 16) 

DIALOG (R) File 16:Gale Group PROMT (R) 

(c) 2003 The Gale Group. All rts. reserv. 

05296067 Supplier Number: 48063577 (USE FORMAT 7 FOR FULLTEXT) 
TACACS, RADIUS Secure Servers 

PC Week, pl51 
Oct 20, 1997 

Language: English Record Type: Fulltext 

Document Type: Magazine/ Journal; Tabloid; General Trade 

Word Count: 1537 

. . . A remote user interacts only with the remote access server, not the 

back-end server. 

When a user dials in, the access server starts a client process, 
sending an authentication request over the network to its primary RADIUS 
server, which has been configured by the access server administrator. The 
administrator also may designate a secondary server, to which the access 
server can direct authentication requests if the primary RADIUS server 

fails to respond. Some RADIUS implementations allow for a RADIUS proxy 
server , which automatically forwards authentication requests to 
another RADIUS server if it can't authenticate a user. 

Implementation varies by vendor, but the RADIUS server usually has 
three main files. These include a database of users who may request 
authentication. . . 



7/3,K/14 (Item 3 from file: 16) 

DIALOG (R) File 16:Gale Group PROMT (R) 

(c) 2003 The Gale Group. All rts. reserv. 

05295610 Supplier Number: 48063015 (USE FORMAT 7 FOR FULLTEXT) 
Steel -Belted RADIUS 1.3 offers strong, flexible remote access 

Hall, Eric 
InfoWorld, p72D 
Oct 20, 1997 

Language: English Record Type: Fulltext 
Document Type: Magazine/ Journal ; Trade 
Word Count : 1253 

... you can't effectively distribute the user-account information 

outward . 

Many remote-access vendors have begun to support the RADIUS protocol, 
allowing the remote-access devices to forward authentication 
requests onto a master authentication device , such as a Unix host . But 
these solutions are not integrated into the network security services, 
requiring administrators to manage accounts and passwords. 

Steel-Belted. . . 



7/3,K/15 (Item 1 from file: 148) 

DIALOG (R) File 148:Gale Group Trade & Industry DB 
(c)2003 The Gale Group. All rts. reserv. 

10741084 SUPPLIER NUMBER: 53552231 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

Adding smarts to the network cloud. (Layer 4 switching circuits) 
Bellman, Bob 

Business Communications Review, 28, 12, 39(5) 
Dec, 1998 

ISSN: 0162-3885 LANGUAGE: English RECORD TYPE: Fulltext; Abstract 

WORD COUNT: 3069 LINE COUNT: 00248 

Happy Users 

Server switch customers like the results. For example, WebTV 
Networks, Inc. (www.webtv.net), uses Alteon' s ACEdirector switch to spread 
its user- authentication traffic across four RADIUS servers . "We give 
ISPs a virtual IP address, and the switch forwards RADIUS requests to 
our real servers," explains Jim Kubon, senior network consultant at WebTV. 

If a server is down or overloaded, the switch stops sending new 
sessions . . . 



7/3,K/16 (Item 2 from file: 148) 

DIALOG (R) File 14 8: Gale Group Trade & Industry DB 
(c)2003 The Gale Group. All rts. reserv. 

104 61403 SUPPLIER NUMBER: 210834 69 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

NASBA helping to keep credentials up to snuff. 

Cheney, Glenn 

Accounting Today, vl2, nl5, p5{2) 
August 24, 1998 

ISSN: 104 4-5714 LANGUAGE: English RECORD TYPE: Fulltext 

WORD COUNT: 74 9 LINE COUNT: 00063 

the requirements of different states and territories, the National 
Association of State Boards of Accountancy has launched a program called 
CredentialNet . In essence, the program verifies and stores credential 
information for client CPAs, tracks continued professional education 
credits, evaluates credentials against Uniform Accountancy Act standards 
and, upon request , forwards all this information to state boards of 
accountancy . 

"As states began to get serious about reciprocity, it became 
mandatory that we put together a program. . . 



7/3,K/17 (Item 3 from file: 148) 

DIALOG (R) File 148: Gale Group Trade & Industry DB 
(c)2003 The Gale Group. All rts. reserv. 

10204065 SUPPLIER NUMBER: 20597459 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

TEST CENTER RX. (Question and Answer) 
Wonnacott, Laura 
InfoWorld, v20, nl9, p52(l) 
May 11, 1998 

ISSN: 0199-6649 LANGUAGE: English RECORD TYPE: Fulltext 

WORD COUNT: 668 LINE COUNT: 00053 

... a stand-alone NT Server on network B. The DHCP Relay agent allows 

Windows NT Server to relay DHCP broadcasts between a DHCP server and 
client across a router. Essentially, it permits forwarding DHCP 
information between subnets. DHCP requests are broadcast requests, and 
these requests are not routed between your segments. Currently, your relay 
is not working -- that's why clients on network B. . . 
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DIALOG (R) File 14 8: Gale Group Trade & Industry DB 
(c)2003 The Gale Group. All rts. reserv. 

09999916 SUPPLIER NUMBER: 20205453 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

Trio launches secure remote access solution. (Sea Change Corp. ; iPass Inc. ; 
Secure Computing) 

Bisby, Adam 

Computer Dealer News, vl3, n23, pi (2) 
Nov 17, 1997 

ISSN: 1184-2369 LANGUAGE: English RECORD TYPE: Fulltext 

WORD COUNT: 691 LINE COUNT: 00060 

and password and sends it: via the Internet to the nearest iPass 
transaction server. The iPass transaction server reads the user's domain 
name and forwards the request to the user's corporate authentication 
server . If the corporate server validates the user, authorization is 
sent back via the Internet to the local ISP, which enables the connection. 
In addition, iPass pays ISPs for the usage on their networks... 



7/3,K/19 (Item 5 from file: 148) 

DIALOG (R) File 148:Gale Group Trade & Industry DB 
(c)2003 The Gale Group. All rts. reserv. 

08934703 SUPPLIER NUMBER: 18604362 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

Searching for directory services. (Lightweight Directory Access Protocol) 

Passmore, David 

Business Communications Review, v26, n7, pl8(2) 
July, 1996 

ISSN: 0162-3885 LANGUAGE: English RECORD TYPE: Fulltext; Abstract 

WORD COUNT: 1695 LINE COUNT: 00142 

... shortcomings of directory services like X.500. 

LDAP was originally proposed as a simplified version of the X.500 DAP 
(Directory Access Protocol) , which would permit TCP/IP-based clients to 
gain access to X.500 directory servers. In its original concept, an LDAP 
server would always act as an intermediary: mapping LDAP requests from a 
TCP/IP-based client into DAP requests that could be forwarded onto a 
separate X.500 DSA server. The data would reside with the X.500 server, not 
with the LDAP server. 

The concept, however, has. . . 



7/3,K/20 (Item 6 from file: 148) 

DIALOG (R) File 148:Gale Group Trade & Industry DB 
(c)2003 The Gale Group. All rts. reserv. 

08892285 SUPPLIER NUMBER: 18576712 

Spinning a secure Web. (Gradient Technologies' WebCrusader products) 
(Product Information) 

Elledge, Don; Ando, Arata; Hart, Douglas W. 
Inf ormationWeek, n592, p72{3) 
August 12, 1996 

ISSN: 8750-6874 LANGUAGE: English RECORD TYPE: Fulltext; Abstract 

WORD COUNT: 1570 LINE COUNT: 00137 

write multithreaded Web applications that access databases or other 
enterprise services. Gradient provides C class libraries that implement a 
secure Common Gateway Interface (CGI) . Users forward CGI requests to 
the Secure AppEngine server the same way they request a CGI script from a 
Web server. The Secure AppEngine accesses the DCE Security Server to 
verify the user's identity and check permissions, making it impossible for 
the user to send bogus user information. 

Access controls can be created for any. . . 
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DIALOG (R) File 14 8: Gale Group Trade & Industry DB 



(c)2003 The Gale Group. All rts. reserv. 

07813397 SUPPLIER NUMBER: 17016336 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

MSS: absolute coverage for North America has arrived, (mobile satellite 
services) 

Johanson, Gary A. 

Satellite Communications, vl9, n4, p40(3) 
April, 1995 

ISSN: 0147-7439 LANGUAGE: ENGLISH RECORD TYPE: FULLTEXT 

WORD COUNT: 1336 LINE COUNT: 00112 

... dials the directory number of the desired mobile terminal. The 

public switched telephone network directs the call to the feederlink earth 
station, which performs initial validation of the mobile terminal and 
forwards the call request to the network communications controller. 

When the mobile terminal is validated and the satellite and ground 
network resources are available, the controller broadcasts a call... 
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DIALOG (R) File 14 8: Gale Group Trade & Industry DB 
(c)2003 The Gale Group. All rts. reserv. 

04566582 SUPPLIER NUMBER: 08135650 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

A case study of employee frauds . 

Seidman, Jack S. 

CPA Journal, v60, nl, p28(8) 

Jan, 1990 

ISSN: 0732-8435 LANGUAGE: ENGLISH RECORD TYPE: FULLTEXT; ABSTRACT 

WORD COUNT: 5812 LINE COUNT: 004 41 

... circumstances with the auditor's client. 

Auditors can aid in the process if their verification letters make 
the specific exhortation about steering clear of the client 's personnel. 
Certainly a verification should be regarded as a nullity, and second 
requests forwarded , when a verification that should be coming from an 
outsider comes instead from the client's office. 

Reminders for the Auditor 

The fraud cases also. . . 
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03884181 SUPPLIER NUMBER: 07121966 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

AT&T to take AFCAC 251 orders beginning March 24 . 

Bass, Brad 

Government Computer News, v8, n6, p3 ( 1 ) 
March 20, 1989 

ISSN: 0738-4300 LANGUAGE: ENGLISH RECORD TYPE: FULLTEXT 

WORD COUNT: 418 LINE COUNT: 00032 

been taking place. 

Dunlap also said the Air Force has changed its procedures for 
ordering the AFCAC 251 systems. He said buyers must have orders approved 
by their base computer requirements boards. If approved , order 
requests will be forwarded to a major command representative, who will 
pass it along to SSC. 

SSC officials will validate each request and assign it a priority and 

a . . . 
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Running DHCP services across a subnet requires use of a relay 

Wonnacott, Laura 

InfoWorld v20nl9 PP: 52 May 11, 1998 
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WORD COUNT: 612 

...TEXT: on a standalone NT Server on network B. The DHCP Relay agent 
allows Windows NT Server to relay DHCP broadcasts between a DHCP server and 
client across a router. Essentially, it permits forwarding DHCP 
information between subnets. DHCP requests are broadcast requests, and 
these requests are not routed between your segments. Currently, your relay 
is not working — that's why clients on network B... 
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Building remote access security 
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...ABSTRACT: evolution in remote access management was primarily due to the 
invention of the Remote Access Dial-In User Service (RADIUS) protocol. 
RADIUS created a client/ server architecture that enabled the efficient 
authentication , authorization and session accounting data for users of 
remote access networks. To promote the adoption of RADIUS as an industry 
standard, Livingston Enteprises released a... 

. . . and more sophisticated RADIUS servers with greater fault-tolerance 
capabilities. The RADIUS standard is evolving to handle outsourced remote 
access by adding the capability to forward authentication requests 
to a RADIUS server located at the enterprise network. It can also be 
used to dynamically configure the virtual private networking tunnels used 
for transporting outsourced traffic to the... 

...TEXT: proposing to deliver outsourced remote access services to 
enterprise corporations. 

The RADIUS standard is evolving to handle outsourced remote access by 
adding the capability to forward authentication requests to a RADIUS 
server located at the enterprise network. 

(Chart Omitted) 

Captioned as: HOW IT WORKS 

It also can be used to dynamically configure the virtual private networking 
tunnels . . . 
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locations and dial into foreign dial-in pools, they need only 



•specify their qualified user name. If configured on the local proxy RADIUS 
server, the requests can be forwarded to their home RADIUS server 
for ultimate authentication . 

Why not just specify multiple authentication servers on the NAS? 
RADIUS clients in most access servers allow multiple AAA servers, but 
only for failover. If. . . 
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write multithreaded Web applications that access databases or 
other enterprise services. Gradient provides C class libraries that 
implement a secure Common Gateway Interface (CGI) . Users forward CGI 
requests to the Secure AppEngine server the same way they request a CGI 
script from a Web server. The Secure AppEngine accesses the DCE Security 
Server to verify the user's identity and check permissions, making it 
impossible for the user to send bogus user information. 
Access controls can be created for any... 



7/3,K/28 (Item 1 from file: 674) 

DIALOG (R) File 674: Computer News Fulltext 

(c) 2003 IDG Communications. All rts. reserv. 

072587 

Id, please 

Vasco 1 s VACMan/ Server proves its mettle in our look at five security 
server/hardware token combos. 

Byline: Ter Parnell 

Journal: Network World Page Number: 4 7 

Publication Date: March 01, 1999 

Word Count: 1847 Line Count: 179 

Text : 

... manage. Of course, there's the problem of keeping track of 1,000+ 
tokens, but a more substantive concern is managing the back-end security 

server , also known as the authentication server . This is the platform 
that holds user configuration information for tokens and allows you to 
manage and edit the information. It gives the actual gatekeeper... 

... designed for a Microsoft environment. Although its RADIUS module 
supports authentication for all RADIUS-compliant environments, it really 
isn't intended for use as an authentication server for anything but a 
Windows NT logon, Windows NT RAS or Microsoft Internet Information Server 
(IIS) application. Coming in a distant third for manageability was... 
...the notes in a safe place. SafeWord's strong point is its elegant method 
of authentication forwarding. If a guest user tries to authenticate, 
SafeWord forwards the authentication request to the user's home domain. 
With this method, authentication domains don't have to be maintained 
separately at each remote site. Within North America ... authentication on 
all versions of Unix, VAX/VMS and NT 4.0 domains. It supports RADIUS for 
Windows NT RAS, allowing SafeWord through its RADIUS server to 
authenticate users trying to access Windows NT domains. Although SafeWord 
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Solaris, and Linux. Instead of following the trend toward IPSec for 
encryption and authentication, Aventail is firmly in the SOCKS 5 camp. 

SOCKS is a proxy server protocol that intercepts client service 
requests , sends them to a SOCKS server to verify that the request is 
valid, and then creates an authenticated session with the client . (For 
more on SOCKS and other VPN protocols, see the Tutorial "Lesson 123: 
Virtual Private Networks," October 1998, page 21.) 

Aventail ExtraNet Center also supports... 
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TACACS, RADIUS secure servers, (terminal access controller access control 
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(includes related article on Cisco Systems 1 Web site) (Technology 
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WORD COUNT: 1655 LINE COUNT: 00136 

... A remote user interacts only with the remote access server, not the 

back-end server. 

When a user dials in, the access server starts a client process, 
sending an authentication request over the network to its primary RADIUS 
server, which has been configured by the access server administrator. The 
administrator also may designate a secondary server, to which the access 
server can direct authentication requests if the primary RADIUS server 

fails to respond. Some RADIUS implementations allow for a RADIUS proxy 
server , which automatically forwards authentication requests to 
another RADIUS server if it can't authenticate a user. 

Implementation varies by vendor, but the RADIUS server usually has 
three main files. These include a database of users who may request 
authentication. . . 
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a gateway and isolate your LAN from the Internet. For example, if 



you try to open a document located on an external Web site, the proxy 
server accepts that request , goes to the Web site, and retrieves the 
document . The proxy server verifies the data and the request before 
it sends it to the client's browser. 
A More Secure Server 

Most firewalls depend on any two of three network communication 
devices — network adapters, ISDN modems... 
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mechanism that enables hosts on one side of a Socks-enabled server 
to gain full access to hosts on the other side, without requiring a direct 
connection . 

It performs three basic operations: connection requests , proxy 
circuit setup, and application data relay . (Socks 5 will include 
authentication . ) The application client puts in a request to Socks to 
communicate with the server. This request contains information about the 
address of the application server, the type of. . . 
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Rules-based scripting language 

The hub supports database communications including Object DataBase 
Connectivity, Request Procedure Calls, message-oriented middleware, 
object request brokers, Distributed Computing Environment and transaction 
processing. The Service Warehouse includes the scripting language for 
creating Apilink services. . . 

...client extensions, and an engine and supervising kernel that executes 
Apilink services and logs events, allocates channels and access, supports 
batch processing and security and authentication services. Servers are 
developed using the rules-based scripting language which encapsulates 
processes, transactions and services. Client interfaces support TCP/IP, 
Remote Procedure Call, LU 6.2... 



12/3 ,K/6 (Item 6 from file: 275) 

DIALOG (R) File 275: Gale Group Computer DB(TM) 
(c) 2003 The Gale Group. All rts. reserv. 

01880969 SUPPLIER NUMBER: 17883146 (USE FORMAT 7 OR 9 FOR FULL TEXT) 

lOOVG-Any LAN's high speed hopes, (part 2) (ten lOOVG-AnyLAN products) 
(Hardware Review) (Evaluation) 

Frank, Alan; Fogle, David 



LAN Magazine, vll, nl, pl28(6) 
Jan, 1996 

DOCUMENT TYPE: Evaluation ISSN: 1069-5621 LANGUAGE: English 

RECORD TYPE: Fulltext; Abstract 

WORD COUNT: 3837 LINE COUNT: 00297 

... at 87-percent utilization. 

THE HUBBUB IN 100VG 

100VG hubs operate a little differently than lOBaseT repeaters. For 
one thing, a 100VG hub doesn't permit a device attached to one of its 
ports to transmit a packet until that device has first sent a request 
to the hub , and the hub has given it the go-ahead. When a packet is 
transmitted, the hub does not echo the packet to all ports. Instead, it 
forwards the . . . 
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... network. Unlike traditional 802.3 Ethernet, which is a 

collision-based architecture, 100VG uses Demand Priority Architecture to 
manage traffic. Demand Priority means that each hub keeps track of the 
requests to transmit for each node attached to it. Only one node is 
given permission to send data at any time. This eliminates collisions, 
and in the process makes the network more deterministic, allowing video to 
arrive with all of... 
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Introduction to 1 0 OVG-AnyLAN and the IEEE 802.12 local area network 
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Albrecht, Alan R. ; Thaler, Patricia A. 
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... 802.2 logical link control (LLC) sublayer. The media access control 

(MAC) sublayer provides data formatting and control of packet transmission 
(or reception) in the transmitting (or receiving) node. The MAC also 
initiates outgoing control requests and acts on received control 
indications . 

Each hub provides control of its connected star portion of the 
network. The RMAC sublayer provides a superset of the functions of the 
node's MAC sublayer (except frame formatting). It selects which node will 
next be granted permission to send a packet, determines where the 
received packet will be sent, provides local control of packet reception 
and retransmission, and monitors each connected link. . . 
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... existing Ethernet and token-ring networks. 

lOOVG-AnyLAN depends on more intelligence in the hubs. Under the 
demand priority access method, network nodes issue a request (or demand) 
to the hub for sending a packet to another network address. The hubs 
continuously scan for node requests in a round-robin fashion and grant a 
node send privileges by clearing their signals from two of the wire 
pairs. The hub also notifies the receiving node that a packet is about to 
be received. . . 
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from the standard Ethernet Demand Priority Access Method (DPAM) . 
Under the proposed architecture, priorities can be assigned to specific 
message packets. The node signals the hub that it has a packet to send 
and requests either normal or high-priority service. If the network is 
idle, the hub allows nodes to transmit on a first-come, first-served basis. 
Since the node has permission to send, it doesn't need to listen, so it 
sends the packet to the hub in a broadcast, without contention, using four 
pairs of . . . 
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... greater support for time-sensitive applications. 

Demand Priority takes advantage of the star topology used in many 
desktop networks by using simple intelligence in the hub to arbitrate 
requests for packet transmission . For example, a node requests 
permission from the hub to transmit a packet over the network. If the 
network is idle, the hub acknowledges the request and the station 
begins transmitting its packets to the hub . As the packet arrives, the 
hub decodes the destination address and directs the packet to the outbound 
destination port. 

According to Clark, because the data... 
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... Access Method is a proposed replacement for Ethernet f s traditional 

CSMA/CD media-access method. This technique gives responsibility for 
network access to a central hub , rather than to individual workstations 
. Network stations can request permission to transmit data by 
priority; the hub transmits high-priority data first. 

Ethernet Ethernet LANs operate over twisted-pair wire and over 
coaxial cable at speeds of up to 10M bps. The theoretical... 
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. . . provide security services to applications while eliminating the 

need to make any modifications to the applications, saving organizations 
time and money. Wrappers function much like proxy servers, intercepting 
and redirecting access requests to the Keon Security Server (TM) to 
verify that a user is authorized. 

Keon Agent software also works in conjunction with other Keon 
products and is designed to provide secure, single sign-on... 
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... single sign-on, and easy credential management. 

Taking advantage of Netscape's LAS (Loadable Authentication Service) 
architecture, Web Agent 2.0 integrates with Netscape Web servers , 
providing powerful authentication without Public Key credential 
management headaches. All user credentials can be centrally administered, 
enabling credential policy management, easy credential revocation, and 
credential portability. Furthermore, the... 



. . .back-end service, such as an Oracle database. Additionally, compared to 
"basic" Web authentication where the password and username cross the wire 
with each page request , Web Agent 2.0 features enhanced security, where 
user credentials are sent over the wire only once. 

SSO/Web 1.0 is an optional Netscape browser plug-in that acts as a 
companion product to the TrustBroker. . . 
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service based on the number of secure tunnels used by the 
subscriber . 

Additionally, BSAC V2 . 1 comes equipped to offer added flexibility via 
its RADIUS Proxy support that allows service providers the ability to 
forward authentication requests to remote RADIUS servers . Proxy 
RADIUS support allows service providers the ability to deploy BSAC in 
each one of its POPs for integration into a remote centralized server that 
offers ease of control management. 

"BSAC. . . 
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service based on the number of secure tunnels used by the 
subscriber . 

Additionally, BSAC V2 . 1 comes equipped to offer added flexibility via 
its RADIUS Proxy support that allows service providers the ability to 
forward authentication requests to remote RADIUS servers . Proxy 
RADIUS support allows service providers the ability to deploy BSAC in 
each one of its POPs for integration into a remote centralized server that 
offers ease of control management . 

"BSAC. . . 
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... application data warehouse. During the setup of proxy circuits, 

SOCKS can also authenticate, negotiate the message security level, and 
authorize . 

S0CKS4 performed three functions: connection request , proxy server 
setup and application data relay . S0CKS5 brings authentication to the 
table. With authentication, S0CKS5 adds two messages. The application 
client sends the first message to SOCKS, declaring the authentication 
methods that the client can support. SOCKS sends a message back to the 
client, announcing the method the client should use. SOCKS determines the 

authentication method on the basis of the security policy defined in the 
SOCKS server configuration. If the client-declared methods fail to meet the 
security requirement. . . 
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... Funk f s fault; it followed RFC 2138 to the letter. The proxy expects 

the target server (in this case, Livingston and Novell) to return a " Proxy 
-State" variable as delivered in the initial proxy request . However, 
neither target server successfully returned the variable (violating the 
RFC) . Funk's proxy server correctly rejected the successful target 
authentication as illegal. 

Ironically, Shiva's Access Manager came to the rescue-by not enforcing 
the RFC. Since it didn't insist on the return of... 
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... Wall antivirus software. 

Like Microsoft's Proxy Server, Netscape's Proxy Server can handle 
reverse proxying, otherwise known as "extranet proxying." You can have the 
Proxy Server redirect Web requests to a Web server inside the proxy 
and get the benefit of HTML caching for the outbound requests , too. 

Netscape handles its Proxy 1 s management a little differently than 
Microsoft. Instead of using a specific configuration utility, you can 
configure Proxy from any browser that supports Java scripts, such as 
Netscape Navigator. Like all members of the Netscape family of servers, you 
can administer Proxy via the Netscape Administration Server . Once 
authenticated , you have complete access to all aspects of the Proxy 
Server's configuration. We like the browser-based configuration because we 
can manage the server... 
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... A remote user interacts only with the remote access server, not the 

back-end server. 

When a user dials in, the access server starts a client process, 
sending an authentication request over the network to its primary RADIUS 
server, which has been configured by the access server administrator. The 
administrator also may designate a secondary server, to which the access 
server can direct authentication requests if the primary RADIUS server 

fails to respond. Some RADIUS implementations allow for a RADIUS proxy 
server , which automatically forwards authentication requests to 
another RADIUS server if it can't authenticate a user. 

Implementation varies by vendor, but the RADIUS server usually has 
three main files. These include a database of users who may request 
authentication. . . 
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... and sent back to the agent with the invoice. The agent then adds an 

identification number and sends all information to the CyberCash server 
which relays a standard credit card or debit authorization request to 
the agent 's bank. When the authorization has been processed, the 
CyberCash server sends the response to the agent who completes the 
transaction . 

Digicash of Palo Alto, Calif., is working on a similar system that 
will eventually allow. . . 
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now available for UNIX and other types of computers, the TravelNet 
software lets users construct a reservation request with an on-screen 
template and then transmit the request to the agency, where it is 
processed by an agent . The template limits options to those approved by 
the client corporation and prepares information for storage on a 
corporate database. The reservation can be transmitted over several types 
of electronic mail systems, including Microsoft Mail... 
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... shortcomings of directory services like X.500. 

LDAP was originally proposed as a simplified version of the X.500 DAP 
(Directory Access Protocol), which would permit TCP/IP-based clients to 
gain access to X.500 directory servers. In its original concept, an LDAP 
server would always act as an intermediary : mapping LDAP requests from 
a TCP/ IP-based client into DAP requests that could be forwarded onto a 
separate X.500 DSA server. The data would reside with the X.500 server, not 
with the LDAP server. 

The concept, however, has... 
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... Web servers and Secure AppEngine resources. 

Secure AppEngine: The Secure AppEngine lets developers write 
multithreaded Web applications that access databases or other enterprise 
services. Gradient provides C class libraries that implement a secure 
Common Gateway Interface (CGI) . Users forward CGI requests to the 
Secure AppEngine server the same way they reguest a CGI script from a Web 
server. The Secure AppEngine accesses the DCE Security Server to verify 
the user's identity and check permissions, making it impossible for the 
user to send bogus user information. 

Access controls can be created for any. . . 
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Fox, Armando; Brewer, Eric A. 

Computer Networks and ISDN Systems, v28, n7-ll, pl445(12) 
May, 1996 

ISSN: 0169-7552 LANGUAGE: English RECORD TYPE: Abstract 

ABSTRACT: The Pythia proxy for HTTP requests provides three key 
orthogonal benefits to World Wide Web clients. Guided by statistical 
models, real-time distillation and refinement enable users to bound latency 
and exercise . . . 



...the client directly understands may improve rendering on the client or 
give rise to a representation that can be transmitted more efficiently. A 
knowledge of client display constraints permit content optimization for 
rendering on the client . 
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...TEXT: solve this problem: an Authenticating Proxy Web Server and the 
L2TP protocol. 

The first way we are looking to solve this problem is with an " 
Authenticating Proxy Web Server Added to the latest specification of 
the HTTP protocol (RFC 2068) (Fielding et al . , 1997), this form of 
authentication allows the user to identify himself... 

... server before the proxy request is made. The traditional form of 

authentication in HTTP/1.0 passes through a proxy server to the remote Web 
server ; this new form of authentication is intercepted and verified 
at the proxy server level. To access resources restricted to the CWRU 

campus, a remote user would set their browser to use our campus Web server 

as a proxy . . . 

... request the resource. Since the remote service would detect that the 
request was made from a valid IP address (the address of the campus Web 
proxy ) the remote service would process the request and send the 
result back to the proxy , which would in turn send it back to the 
user . 

There are several disadvantages to this scheme. First, it adds a single 
point-of-f ailure to access the group of... 
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users roam through various locations and dial into foreign 
dial-in pools, they need only specify their qualified user name. If 
configured on the local proxy RADIUS server, the requests can be 
forwarded to their home RADIUS server for ultimate authentication . 

Why not just specify multiple authentication servers on the NAS? 
RADIUS clients in most access servers allow multiple AAA servers, but 
only for failover. If... 
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Funk's fault; it followed RFC 2138 to the letter. The proxy 
expects the target server (in this case, Livingston and Novell) to return 
a " Proxy -State" variable as delivered in the initial proxy request 
. However, neither target server successfully returned the variable 
(violating the RFC). Funk's proxy server correctly rejected the 
successful target authentication as illegal. 

Ironically, Shiva's Access Manager came to the rescue-by not 
enforcing the RFC. Since it didn't insist on the return of... 
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... Wall antivirus software. 

Like Microsoft's Proxy Server, Netscape 1 s Proxy Server can handle 
reverse proxying, otherwise known as "extranet proxying. " You can have the 
Proxy Server redirect Web requests to a Web server inside the proxy 
and get the benefit of HTML caching for the outbound requests , too. 

Netscape handles its Proxy f s management a little differently than 
Microsoft. Instead of using a specific configuration utility, you can 
configure Proxy from any browser that supports Java scripts, such as 
Netscape Navigator. Like all members of the Netscape family of servers , 
you can administer Proxy via the Netscape Administration Server . Once 
authenticated , you have complete access to all aspects of the Proxy 
Server's configuration. We like 
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... Web servers and Secure AppEngine resources. 

Secure AppEngine: The Secure AppEngine lets developers write 
multithreaded Web applications that access databases or other enterprise 



services. Gradient provides C class libraries that implement a secure 
. Common Gateway Interface (CGI). Users forward CGI requests to the 
Secure AppEngine server the same way they request a CGI script from a 
Web server. The Secure AppEngine accesses the DCE Security Server to 
verify the user's identity and check permissions, making it impossible 
for the user to send bogus user information. 

Access controls can be created for any. . . 
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RECORD TYPE: Fulltext 

SECTION HEADING: Enterprise Computing 
TEXT: 

... IBM's DB2, Computer Associates International 1 s Ingres, and 

Informix, Oracle, and Sybase offerings. IBI has re-architected EDA/SQL 
into modules. A new Hub Server , for example, validates user security 
at a single location; its global directory stores rules for distributing 
requests . Also, Hub Server, which runs on numerous Unix-based servers, 
IBM's MVS and OS/2, and Microsoft Corp.'s Windows NT, contains a query 
governor that . . . 
9 
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Abstract: We present an integrated secure group access control tool to 
suppan workgroups on the World-Wide Web. The system enables user 
authentication, encrypted communication and fine-grained group access 
control. The tool comprises two proxies: one running on the server side and 
the other one on the client side. Typically the browser sends a query to 
the client side proxy which contacts the server side proxy for 
authentication , session key exchange and checking of access rights . The 
server side proxy finally forwards the request to the HTTP server . 
Our tool is completely transparent to the user and compatible with any Web 
server and browser. It can also become pan of a firewall configuration. 
(Author abstract) 7 Refs. 

Descriptors: ^Computer aided software engineering; World Wide Web; Data 
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Document Type: JA; (Journal Article) Treatment: G; (General Review); T; 
(Theoretical) 
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Abstract: This paper proposes a Hierarchical, Distributed, Dynamic, 
Inventory management (HDDI) scheme. HDDI introduces the concept of 
emergency replenishment, wherein a retail unit is permitted to request 

the transfer of items from another retail unit in the neighborhood 
when, despite an outstanding reorder request from the warehouse, the 
demand continues to rapidly deplete the inventory level and the latter 



falls below an emergency threshold value. To be effective, with today's 
rapid price changes and fast-paced consumer demand, the cost function in 
HDDI is dynamic, i.e., reevaluated with current system parameters whenever 
the inventory level falls below the threshold. For fast results, the 
overall inventory management computation is distributed among all of the 
retail units. HDDI is modeled for a few representative inventory management 
networks, simulated on 17 plus SUN workstations for stochastically 
generated demand functions and for different sets of values of the key 
parameters, and the performance results are reported. (Author abstract) 24 
Refs . 
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Abstract: In this paper, we study the end-to-end performance of 
interconnected local area networks (LAN) with server/client configuration. 
This system uses bridges to connect two token-ring LANs through a 
high-speed communication link. A server station located on one LAN 
receives requests from client -stations on the same LAN as well as on 
the remote LAN, processes the requests, and returns responses to the 
client-stations. The end-to-end connections of the interconnected network 
are modelled as single-chain and multiple-chain closed queueing systems, 
which are solved by an iterative algorithm based on the MVA (mean value 
analysis) method. The performance examples are shown in terms of various 
system parameters such as the window size, server processing speed and 
internetwork transmission capacity, and are verified by computer 
simulations. (Author abstract) 7 Refs. 
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Abstract: One of the most common problems in the response to telephone 
calls for emergency services (ambulance, police, fire, etc.) is to insure 
that the responding agency has the appropriate location information and, in 
the case of individuals with a history of heart disease or other possibly 
life threatening affliction, pertinent information on their particular 
medical situation. Typically a 911 Public Safety Answering Point (PSAP) or 
other response agency must depend upon the information solicited from the 
caller. In some modern emergency response systems, such as Enhanced 911 
(E911), Automatic Location Information (ALI) is available from the 
operating telephone company. Typically, however, E911 may be cost effective 
only for relatively large jurisdictions. This is particularly true for 
those systems in which the information is obtained from the telephone 
company central data base by means of (redundant) dedicated, high speed 
data lines . In a previous paper left bracket 1 right bracket , the 
authors investigated a device , located at the subscriber's residence, 
which would transmit, via a modem, location and other information to the 
PSAP upon activation by a request -to- send (RTS) . Although the device 
was technically successful, it had a high projected cost. In the present 
paper an alternate system approach is taken in which a device located at 
the subscriber's residence transmits only a seven digit 'touch tone' code 
(typically the subscriber's telephone number) to a personal computer in the 
PSAP. The computer performs a 'reverse directory' data- base lookup for 
address and/or other pertinent information (eg. emergency medical 
information) and displays the information which enables the dispatcher to 
send the appropriate response. The system will also be useful in the case 
of telephone offices which automatically provide Automatic Number 
Identification (ANI) but not ALI. This paper describes the system and its 
device and software components, system costs and discusses several 
applications in the area of emergency response to telephone requests for 
service, including a low cost automated medical service request system 
which can be activated by a simple handheld device. (Author abstract) 
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Abstract: A planning tool in the form of a robust simulation-based model 
is proposed for the performance evaluation of noncached and cached DASD 
subsystems. It is validated with performance data obtained from a 
real-world environment. This planning tool is part of ongoing research in 
the development of a four-level distributed information system simulator. 
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E.I. Conference No.: 10345 
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(Bulletin) UKY BU 143. Jul 1987 Publ by Univ of Kentucky, Lexington, KY, 
USA. Available from IEEE Service Cent (Cat n 87CH2494-3), Piscataway, NJ, 
USA p 141-147 

Publication Year: 1987 

CODEN: UKOBDS ISSN: 0270-6504 ISBN: 0-8977 9-068-5 
Language: English 

Document Type: PA; (Conference Paper) 
Journal Announcement: 8712 

Abstract: The author argues that a university computing environment must 
rely on some degree of secure operation and that a minimum of the following 
security entities are required to provide secure access to 
authentication requests : node -to- node line verification (caller's 
node number); the connected device (hardware ID) and user's 
identification (user-name/password) must be compared against access control 
information, and a security layer that establishes procedures between host 
and network such as routing of data (access-path) , node information, and 
user's authentication . 4 refs. 
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Language: English Document Type: Journal Paper (JP) 
Treatment: Applications (A); Practical (P) 

Abstract: This paper introduces a new distributed data object called 
resource controller that provides an abstraction for managing the 
consumption of a global resource in a distributed system. Examples of 
resources that may be managed by such an object include; number of messages 
sent, number of nodes participating in the protocol, and total CPU time 
consumed. The resource controller object is accessed through a procedure 
that can be invoked at any node in the network. Before consuming a unit of 
resource at some node, the controlled algorithm should invoke the procedure 
at this node , requesting a permit to consume a unit of the resource. 
The procedure returns either a permit or a rejection. The key 
characteristics of the resource controller object are the constraints that 
it imposes on the global resource consumption. An (M, W) -Controller 
guarantees that the total number of permits granted is at most M; it also 
ensures that, if a request is rejected, then at least M-W permits are 
eventually granted, even if no more requests are made after the rejected 
one. In this paper, we describe several message and space-efficient 
implementations of the resource controller object. In particular, we 
present an (M, W) -Controller whose message complexity is 0(n log/sup 2/n 
log(M/W+l)) where n is the total number of nodes. This is in contrast to 
the O(nM) message complexity of a fully centralized controller which 
maintains a global counter of the number of granted permits at some 
distinguished node and relays all the requests to that node . (10 
Refs) 
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Abstract: Discusses various stages in the integration of transputers onto 
a general-purpose departmental computer network. A prototype facility has 
been established to permit access from networked computers to the 
familiar TDS and alien file server environments. Industry-standard personal 
computers are used to host individual transputers, and Ethernet is used to 
convey filestore and control requests to the networked server running 
as a user process on another processor. Enhancements to the basic facility 
are suggested which would allow it to be expanded to service the needs of a 
larger user population. (4 Refs) 
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User authentication method for remotely accessible computer system, 
involves decrypting password registered at server using input password 
and forwarding password relevant to access request 

Patent Assignee: SUN MICROSYSTEMS INC (SUNM ) 

Inventor: NIELSEN J 

Number of Countries: 001 Number of Patents: 001 
Patent Family: 

Patent No Kind Date Applicat No Kind Date Week 

US 6182229 Bl 20010130 US 96615660 A 19960313 200148 B 

US 99451488 A 19991130 

Priority Applications (No Type Date) : US 96615660 A 19960313; US 99451488 A 

19991130 
Patent Details: 

Patent No Kind Lan Pg Main IPC Filing Notes 

US 6182229 Bl 10 G06F-012/14 Cont of application US 96615660 

Cont of patent US 6006333 

Abstract (Basic) : US 6182229 Bl 

NOVELTY - The passwords of user registered at remote server are 
encrypted by master password, and stored in database. An 
authentication message is received from one server and client is 
inhibited from displaying authentication form. The master password 
from user is received and database is searched for corresponding 
message. The password registered at server is decrypted using the input 
password and is forwarded to server. 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for the 
following : 

(a) Client computer system; 

(b) Recording medium storing password encryption program 

USE - For use in remotely accessible computer systems connected to 
internet . 

ADVANTAGE - Eases accessing of multiple remote servers as single 
master password is used, without any modifications of remote servers. 
Provides access security by retaining personal control for sensitive 
sites . 

DESCRIPTION OF DRAWING (S) - The figure shows the flowchart 
depicting user authentication process, 
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Request validating method involves fulfilling request by authenticating 

whether service request is sent by requestor 
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Inventor: CARTER S R; JENSEN D C; LAVANGE D H 
Number of Countries: 001 Number of Patents: 001 
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Abstract (Basic) : US 6219652 Bl 

NOVELTY - A record including a license packet is encrypted with 
public key associated with licensor, before storing in memory. A 
digital signature associated with licensor is generated and included in 
license packet which is forwarded to requestor (22) . A service 
request having digital signature associated with requestor, is 
received and authenticated whether it is sent by requestor if so the 
request is fulfilled. 

DETAILED DESCRIPTION - A license request (24) includes a digital 
certificate having public key and digital signature, which are 
associated with requestor (22) . A license packet including unique 
serial number, is generated by license grating entity (LGE) (26) . An 
INDEPENDENT CLAIM is also included for computer implemented method 
for validating electronic request for service. 

USE - For electronically authenticating license of purchaser for 
using certain resources such as post-sale service through Internet. 

ADVANTAGE - Reduces costs associated with providing network based 
post-sale support service. Reduces and eliminates human involvement in 
grating a license to use a product. Eliminates unauthorized access to 
vendor's support resources. 

DESCRIPTION OF DRAWING (S) - The figure shows the block diagram 
illustrating communication between requestor and licensor. 

Requestor (22) 

License request (24) 

LGE (2 6) 
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File access managing method for network file server, involves accessing 
stored assignment information, to assign data processors for managing 
files based on the client request 

Patent Assignee: EMC CORP (EMCE-N) 
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Number of Countries: 001 Number of Patents: 001 
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US 6192408 Bl 20010220 US 97938723 A 19970926 200131 B 

Priority Applications (No Type Date) : US 97938723 A 19970926 
Patent Details: 

Patent No Kind Lan Pg Main IPC Filing Notes 
US 6192408 Bl 50 G06F-015/16 

Abstract (Basic) : US 6192408 Bl 

NOVELTY - The stored assignment information indicating the 
respective data processors assigned to manage the files, is accessed, 
based on the client request . The request is forwarded to the 
relevant assigned data processor. The access management of requested 



file is performed by the respective processors. 

DETAILED DESCRIPTION - An INDEPENDENT CLAIM is also included for 
network file server. 

USE - For file access management in processing network using 
network file server. 

ADVANTAGE - Simultaneous access by large number of clients is 
enabled, as multiple data processors are used. Network interfaces are 
efficiently used, because the client requests are authenticated and 

authorized for accessing large number of files. Cache coherency 
problem is avoided, as different data processors are assigned to lock 
management for different files. 

DESCRIPTION OF DRAWING (S) - The figure shows the block diagram of 
data access model of network file system. 
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System for replicated and consistent modifications in a server cluster 
using a master node to replicate transactions after receiving 
permission from a locker node 
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Priority Applications (No Type Date) : US 9862359 A 19980417 
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Patent No Kind Lan Pg Main IPC Filing Notes 
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Abstract (Basic) : US 6163855 A 

NOVELTY - A requester determines which node is the master node, 
step 600, the master node forwards the transaction request to the 
locker node, step 602, the locker node saves the operation, step 604 
and the locker node then returns control to the master node, step 606. 
The master node selects a node for replicating, step 608, the master 
node requests the selected node to commit the transaction, step 610 and 
a successful process is evaluated, step 612. The master node then sends 
a message, step 618, to inform the locker node when the operation is 
completed. 

DETAILED DESCRIPTION - AN INDEPENDENT CLAIM is included for a 
method of communicating modification information to servers in a 
cluster . 

USE - Making replicated and consistent modifications in a server 
cluster . 

ADVANTAGE - Operation of system regardless of node or other 
failures . 

DESCRIPTION OF DRAWING (S) - The drawing is a flow diagram 
representing steps taken to replicate a transaction to nodes of a 
multiple-node cluster. 
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Abstract (Basic) : WO 200070503 Al 

NOVELTY - A processor (133) searches a record from a memory (135) 
based on a request received from selected device and verifies the 
identity of the selected device (105) based on the coded information 
present in the received request . An output element forwards the 
software components to the selected device through a communication 
network (145), after verification to attain a selected configuration. 

DETAILED DESCRIPTION - Several records associated with the devices 
are stored in a memory. An INDEPENDENT CLAIM is also included for a 
method of configuring device remotely. 

USE - For PC based products such as personal and handheld 
computers, wireless information devices, postage franking systems etc. 

ADVANTAGE - Enables the customer to realize a specific 
configuration after the receipt of computer. Saves man power and time 
for a manufacturer in installing the computer. 

DESCRIPTION OF DRAWING (S) - The figure shows the block diagram of 
server . 

Selected device (105) 

Processor (133) 

Memory (135) 

Communications network (14 5) 
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Abstract (Basic) : US 6085171 A 

NOVELTY - A client (10) receives service change request along with 
order data and document facsimile corresponding to customer (230) . A 
server (4) coupled to the client via internet (30) verifies the 
billing address and number of the customer using a third party verifier 
(80) and then receives order data and facsimile from the client. The 
server forwards the request to the service provider (210) of the 
customer. 

DETAILED DESCRIPTION - The document facsimile comprises 
authorization document affixed with signature of the customer. The 
request is directed from the client through a gateway (180) and 
communication network (200) to the service provider accessed by local 
exchange carriers. INDEPENDENT CLAIMS are also included for the 
following : 

(a) service change request processing method; 

(b) service change request processing apparatus 

USE - For processing request for changing communication services 
such as pre-subscribed interexchange carrier service, call waiting, 
call forwarding service, internet access, data, video-on-demand service 
and other services. 

ADVANTAGE - By the electronic submission of order data and document 
facsimile through internet, the orders are communicated quickly and 
accurately. Verification of customer using third party verifier, during 
request reception enables quicker service. 

DESCRIPTION OF DRAWING (S) - The figure shows the model view of the 
service change request processing system. 

Server (4) 

client (10) 

Internet (30) 

Verifier (80) 

Gateway (180) 

Communication network (200) 
Provider (210) 
Customer (230) 
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Abstract (Basic) : WO 200052557 Al 

NOVELTY - A sending unit forwards to the data processing apparatus 
of the opposing site a second credential request which is dependent 
upon the contents of the initial credential request. The credential 
requested pertains to the opposing site credentials that satisfy a 
second logical expression provided with the second credential request. 

DETAILED DESCRIPTION - Local site credentials are stored into a 
storing unit . A receiving unit accepts an initial credential 
request from a data processing apparatus situated at an opposing site, 



of which the request pertains to the stored local site credential which 
satisfies the logical expression of the request itself. 
USE - For client-server network. 

ADVANTAGE - Simple negotiation strategies can be applied 
immediately. Enables trust to be established automatically even when 
the parties involved require some knowledge of their counterparts 
before disclosing some of their credentials. 

DESCRIPTION OF DRAWING (S) - The figure shows the block diagram of 
the software components of the data processing apparatus. 
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Wireless communication network system for use in mobile telecommunication 
unit , new digital cellular system, has authentication center which on 

receipt of challenge request message, generates return message 
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Abstract (Basic) : WO 200033598 Al 

NOVELTY - A predetermined node upon receipt of challenge request 
message including the code lock parameter, substitutes the stored code 
lock parameter for the code lock indicator and forwards the reused 
challenge messages to the authentication center for processing. The 
authentication center then generates a return challenge response 
message and then forwards the return challenge response message to 
overall processor and to the mobile station for validation. 

DETAILED DESCRIPTION - Over the air processor determines whether 
the code lock parameter corresponding to code lock indicator has been 
received from the network. When the code lock parameter is recover, the 
over the air processor replaces the code lock indicator with code lock 



parameter and forwards the challenge request message including 
mobile station parameters and code lock parameters to authentication 
center. When the over the air processor does not receive code lock 
parameter, the over the air processor forwards the challenge request 
message including mobile station parameters and code lock indicator to 
predetermined node in the network. An INDEPENDENT CLAIM is also 
included for over the air mobile station activating method. 

USE - For new digital cellular systems known as personal 
communication systems (PCS), mobile telecommunication units. 

ADVANTAGE - It responds to mobile station challenge request prior 
to permitting the reading or downloading of new operating parameter 
using the over the air activation processor. 

DESCRIPTION OF DRAWING (S) - The figure shows the simplified diagram 
of wireless telecommunications including over the air activation 
processor . 
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Authority approval system; generates Web page in response to request 
when authority approval is forwarded and sends information representing 
authority approval made at authority terminal 
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Abstract (Basic) : WO 200017801 Al 

NOVELTY - An I/I server (14) generates a Web page in response to a 
request when an authority approval is forwarded and sends 
information representing the authority approval is made at the 
authority terminal (12) when required information is inputted into 
the Web page. 
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Load sharing mechanism for automatic teller machine acquires right of 
control opposing to specified request terminal and forwards response 
telegraphic message to that terminal equipment 
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Abstract (Basic) : JP 2000029831 A 

NOVELTY - If response telegraphic message is returned from other 
system (30), then request terminal equipment (10) which transmit 
response telegraphic message by referring to content of relay 
telegraphic message information memory is specified. A processing unit 

(22b) acquires right of control opposing to specified request 
terminal equipment, and forwards response telegraphic message to 
request terminal equipment. DETAILED DESCRIPTION - An INDEPENDENT 
CLAIM is also included for the recording medium. 

USE - For load sharing in automatic teller machine installed in 
banks . 

ADVANTAGE - Performs optimum load distribution during receiption of 
response telegraphic message by acquiring right of control of 
terminal equipment. DESCRIPTION OF DRAWING (S) - The figure shows 
principal block diagram of load sharing mechanism. (10) Request 
terminal equipment; (22b) Processing unit; (30) System. 
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Abstract (Basic) : WO 200000881 Al 

NOVELTY - Multiple devices e.g. host processors, file servers are 
coupled to the shared resource e.g. storage system over a network. Data 
at the shared storage system is apportioned into volumes and 
configuration data identifies which volumes of data are available for 
access by each of the multiple devices. The shared storage system 
includes a filter that only forwards requests to volumes for which 
the device has privileges to access. 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for a 
host computer, an adaptor, and a storage system. 

USE - For computer system. 

ADVANTAGE - Filtering requests at the resource allows control of 
the data management to be centralized in one location, rather than 
distributed throughout the location. 

DESCRIPTION OF DRAWING (S) - The drawing shows a block diagram of 
the host processor and the storage system. 
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Data relay forwarding apparatus for facsimile communication system 
connected to internet - transmits converted facsimile data corresponding 
to received e-mail data, only when reception of data forwarding service 
approval by communication apparatus which transmits E- mail data, is 
judged 

Patent Assignee: SANYO ELECTRIC CO LTD (SAOL ) 
Number of Countries: 001 Number of Patents: 001 
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Abstract (Basic) : JP 11075006 A 

NOVELTY - A format transducer of communication apparatus (110), 
converts the e-mail data received from a communication apparatus (100), 
into corresponding facsimile data. The facsimile data are transmitted 
to a G3 facsimile (130), only when the reception of data forwarding 
service approval by the communication apparatus (100) is judged. 
DETAILED DESCRIPTION - A format transducer (106) of communication 
apparatus (100) converts the image data read by an image reader (101), 
into corresponding e-mail data. The e- mail data along with forwarding 
destination, is transmitted to a communication apparatus (110) . An 
address authentication unit (115) confirms the destination address 
extracted from the received e-mail data by an extraction unit (114), 
for transmitting the converted facsimile data corresponding to received 
e-mail data, to G3 facsimile (130). 

USE - For facsimile communication system connected to internet. 

ADVANTAGE - Unnecessary- data forwarding processing is prevented, 
when incorrect forwarding request is made. DESCRIPTION OF 
DRAWING (S) - The figure shows block diagram of facsimile communication 
system. (100,110) Communication apparatus; (101) Image reader; (106) 
Format transducer; (114) Extraction unit ; (115) Address 
authentication unit ; (130) G3 facsimile. 
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Abstract (Basic) : JP 11066025 A 

NOVELTY - A request group mediation circuit (1) and a reply group 
mediation circuit (2) arbitrate different data forwarding demands. An 
issuing device alternately publishes the approval to the data 
forwarding demands from the mediation circuits. 

USE - For arbitrating data forwarding demand between communication 
apparatuses . 

ADVANTAGE - Minimizes deviation of process performed between 
request group and reply group. Prevents capacity reduction of entire 
system. DESCRIPTION OF DRAWING ( S) - The figure shows a block diagram of 
the mediation apparatus. (1) Request group mediation circuit; (2) Reply 



group mediation circuit. 
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E-mail forwarding method in internet - involves performing authentication 

information calculation based on user's message 
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Abstract (Basic) : JP 10301903 A 

The method involves forwarding a confidential message and 
request for forwarding the information from a user telephone (141) 
to an apparatus (100). When communication circuit is set up for 
communication, the apparatus (100) converts the message into a text 
data and outputs it to a calculator (104) for performing calculation. 

The user's message is then sent to a server (120). The server 
performs authentication for the calculated message. The electronic 
mail is then sent to the apparatus. The mail is stored in a storage 
unit (107) . The user again forwards a request for transmitting 
message to the apparatus. The electronic mail is retrieved from the 
storage unit. The mail is converted into an audio and is transmitted to 
user (141, 142) . 

ADVANTAGE - Forwards electronic mail safely. Ensures high network 
utilization efficiency. 
Dwg. 1/11 

Title Terms: MAIL; FORWARDING; METHOD; PERFORMANCE; AUTHENTICITY; 

INFORMATION; CALCULATE; BASED; USER; MESSAGE 
Derwent Class: T01; W01; W02 

International Patent Class (Main) : G06F-015/00 

International Patent Class (Additional): G06F-003/16; G06F-013/00; 

G06F-017/60; H04L-029/06 
File Segment: EPI 



7/5/31 (Item 29 from file: 350) 

DIALOG (R) File 350: Derwent WPIX 

(c) 2003 Thomson Derwent. All rts. reserv. 

012022825 **Image available** 

WPI Acc No: 1998-439735/199838 

XRPX Acc No: N98-342716 

Subscription method for mobile communications network - transmitting 
encryption information from home database to communications terminal 
requesting access, transmitting encrypted authentication request to 
home database, before checking authentication request for uniqueness 
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Abstract (Basic) : EP 861011 A 

The method involves forwarding an access right request (ARR) 
transmitted by a communications terminal over the communications 
network to a home database. Encryption information (RAND-F, RS) is then 
transmitted from the home database over the communications network to 
the requesting communications terminal. 

An authentication request (AREQ (RAND-P, RES1) ), which is 
partially encoded by the communications terminal with the help of the 
encoding information, is transmitted over the communications network to 
the home database. The transmitted authentication request is checked on 
uniqueness in the home database, and the preceding steps are repeated 
at an ambiguity of the transmitted authentication request, whereby the 
encryption information is modified. 

USE - E.g. in DECT communication system. 

ADVANTAGE - Improves security, and enables use of existing protocol 
elements . 
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Packet filtering apparatus in server-client type data processing system - 
approves forwarding of packet, when forwarding request of packet 
does not satisfy filtering conditions 
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Abstract (Basic) : JP 10133977 A 

The apparatus (1) has a storing unit (13) which stores a filtering 
condition set up by an environmental setting program (10) . A judgment 
unit (14) judges request of a packet satisfying a filtering condition 
or not. Once the filtering conditions are not satisfied, a dynamic 
approval unit (17) provides approval for forwarding of the packet. 

ADVANTAGE - Performs flexible packet filtering process depending 
upon situation of application program. 
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Synchronous data forwarding apparatus for computer system - has access 
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depending on notification of acquisition of rights for bus utilisation by 
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Abstract (Basic) : JP 10083374 A 

The apparatus (1) has an asynchronously stipulated bus (10) through 
which one or more master devices (11,110,120) forward data as bus 
request is arbitrated. A mediation device (12) grants rights for 
bus utilisation to any of the master devices. A bus securing device 
(100) acquires rights for bus utilisation from the mediation device 
upon reception of bus utilisation request. 

An access notification circuit (102) notifies the acquisition of 
rights for bus utilisation to the master devices at predetermined time 
so that data forwarding might be started or stopped. Access control 
circuits (111,121) start or stop the forwarding of data depending on 
the notification from the access notification device. 

ADVANTAGE - Forwards synchronous data with predefined quantity for 
every master devices through asynchronously stipulated bus. Prevents 
generation of fault in interruption control. 
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Abstract (Basic): JP 9265443 A 

The system (7) has an user authentication information table (19) 
which matches and user authentication information input by a client 
with an user authentication identifier. The user authentication 
information is supplied based on an user authentication request. The 
user authentication information is detected based on detection request. 
An user authentication information management unit (17) deletes the 

authentication information which controls the access time for every 
user. An existing system enquiry unit (18) receives the user 
authentication information from the management unit . A WWW gateway 
communication unit (15) communicates with a WWW network. An user 
authentication request is sent to the existing system inquiry unit 
based on the user authentication information registration request 
received from the WWW gateway mainbody through the communication unit 
. The authentication information identifier acquires the 
authentication registration request for the management unit . 

The authentication information request received from the network 
through the communication unit is forwarded to the management. An user 
management controller (13) forwards the deletion request received 
from the main body through the communication unit according to a 
communication break request from the user, to the management unit. An 
user management communication unit (14) communicates with the user 
management control unit for informing deletion request. 

ADVANTAGE - Improves security of user authentication information. 
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Abstract (Basic) : EP 665486 A 

The protection method involves receiving requests for documents 
from several users (117) having computers with displays (121) and 
printers (123). The computers are connected to a network (9), and the 
requests include unique user identification for each of the users. The 
requests are authenticated with a copyright server (7), which is 
used to direct a document server (3) to act upon proper request 
authentication . 

In response to this direction the document server creates encrypted 
documents along with a unique identification for each authenticated 
request and forwards the documents to the user through the network 
to corresp. agents of the authenticated request user. Each of the 
agents is selected from display agents and printer agents. The 
documents are encoded so that each document is uniquely encoded based 
on the unique identification, and are decrypted at the agent and so 
available for use when the secret keys are provided by the user. 

ADVANTAGE - Fully protects electronically published documents, and 
discourages distribution of illegal copies in violation of copyright 
laws, so that copies can be traced back to original owner. 
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Abstract (Basic) : WO 9120144 A 

The system is for communication between requesting receiving 
stations (B) and request-processing transmitting stations (A), provided 
with a source (1-4) of information of separately specifiable bulk data 
via a relatively low-speed communication path in a first network (6) . 
The forwarding of the data receiving station (B) takes place in a 
packet-switched mode via a relatively high-speed transmission path in a 
second network (10). 

A supervisor incorporated in the system assigns temporary 
destination addresses to the receiving stations for the forwarding and 
grant permission for forwarding to the transmitting workstations 
on request . The actual forwarding takes place after a transmitting 
station which has received permission has detected, by 'end of packet 1 
detector (18) that transmission of a previous packet has been 



completed. 

ADVANTAGE - Picture channel is used as efficiently as possible 
with waiting time limited to minimum. (45pp Dwg.No.1/7 
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Abstract (Basic) : AU 8313583 A 

The interface has a microprocessor, an erasable programmable read 
only memory (EPROM) with a suitable control program and a RAM. A 
serial-parallel communication element connects the interface to a modem 
via a communications link. A parallel-serial communication element 
connects the interface to the host computer via approved hazardous 
voltage isolators and data leads. 

A voice generation sub-system and an auto-dialling circuit are both 
connected to the microprocessor and the telephone by-passing the modem. 
At the retail outlet, data on a portable data entry device is fed into 
the switched network via a suitable attachment on the telephone. The 
interface allows a host computer full control of a half-duplex 
auto-answer modem where the software and/or hardware of the host 
computer makes communication on more than data leads only difficult or 
impossible . 
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ABSTRACT 

PROBLEM TO BE SOLVED: To increase the number of station devices capable of 
being connected to a network by performing the connection operation of 
plural slave hub devices by making a master hub device give a 
transmission right to plural slave hub devices in a prescribed order. 

SOLUTION: Each slave hub device 2a to 2c sends a transmission right 
request signal to a master hub device 1 through control signal lines 
41a to 41c to acquire a transmission right . The device 1 successively 
checks the lines 41a to 41c, outputs a corresponding transmission 
permission signal if the transmission right request signal exists and 
gives the transmission right to a corresponding slave hub device . A 
slave hub device which acquires the transmission right sequentially 
gives the transmission right to station devices which are connected to 
self-device. Since station devices 51 to 59 which are connected to the each 
device 2a to 2c also acquires the transmission right periodically in this 
way, the devices 51 to 59 can transmit data within the maximum revolving 
time . 



COPYRIGHT: (C) 1999, JPO 



13/5/17 (Item 17 from file: 347) 

DIALOG (R) File 347: JAPIO 

(c) 2003 JPO & JAPIO. All rts. reserv. 



05907547 **Image available** 

METHOD FOR GIVING CIPHER KEY AND AUTHENTICATION OF COMPUTER NETWORK 



PUB. NO. : 
PUBLISHED: 
INVENTOR (s) : 
APPLICANT (s) 
APPL. NO. : 
FILED: 
INTL CLASS: 
JAPIO CLASS: 



10-190647 [JP 10190647 A] 
July 21, 1998 (19980721) 
SHIKURA MIKIO 

SHIKURA MIKIO [000000] (An Individual), 

08-357148 [JP 96357148] 

December 26, 1996 (19961226) 

[6] H04L-009/08; H04L-009/32 

44.3 (COMMUNICATION -- Telegraphy) 



JP (Japan) 



ABSTRACT 

PROBLEM TO BE SOLVED: To provide the method for managing a cipher key free 
from problems of key management and troublesomeness of confirmation of 
whether or not a key is genuine or giving a cipher key that can be given 
and authentication. 



SOLUTION: On the computer network, a proxy server 3 is installed as a base 
where keys A as enciphering keys and deciphering keys of both a sender 
and a receiver are managed and when the sender sends a request: to 
send information to the receiver on the network NW, the proxy server 3 
at the key management base divides one key A into two and gives one half 
key A' to the sender and the other half key A 1 1 to the receiver 



respectively. Then the sender and receiver exchange ciphered information by 
using the given keys A' and A' 1 and the received ciphered information is 
deciphered. 
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ABSTRACT 

PURPOSE: To provide a method and system for proxy authorization which 
attain a node which is permitted by an access requesting node to 
access resources safely as a proxy for the access request node. 
CONSTITUTION: A node A has a proxy request means 720 which transfers 
a 1st message including added secret information to a proxy node B after 
confirming the validity of a proxy node B substituting for its node A, a 
proxy request means 810 which holds the secret information of the 1st 
message received by the proxy node B through a proxy request means, and a 
proxy execution means 820 which allows the proxy node B to perform 
authorization with a node N by using the secret information; and the 
node B sends an access request to the node N as a substitute for the node 
A. 
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Authentication server in networks e.g. WAN, provides authentication 

keys to mobile IP supporting Foreign Agent , on request , for enabling 

Foreign Agent to provide authentication extension 
Patent Assignee: CISCO TECHNOLOGY INC (CISC-N) 
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Abstract (Basic): US 6466964 Bl 

NOVELTY - The server provides authentication key associated 
with several nodes to a mobile IP supporting Foreign Agent (10), in 
response to request identifying a node received from the agent, so as 
to enable the Foreign Agent to generate an authentication extension. 
DETAILED DESCRIPTION - INDEPENDENT CLAIMS are included for the 



following : 

(1) Method of registering a node which does not support mobile IP, 
with a Home Agent that supports mobile IP; and 

(2) Computer-readable media for registering node not supporting 
mobile IP. 

USE - For networks e.g. wide area network (WAN) and internet. 

ADVANTAGE - The Foreign Agent is enabled to initiate registration 
on behalf of a node, hence by such registration, nodes which do not 
have mobile IP software, hardware and firmware is provided mobile IP 
functionality. 

DESCRIPTION OF DRAWING (S) - The figure shows a mobile IP network 
segment and associated environment. 
Foreign Agent (10) 
pp; 30 DwgNo 1/13 
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Wireless service establishing method for unauthorized wireless terminal, 
involves offering specific type of wireless service to wireless terminals 
by wireless switching system based on authorized data 
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Abstract (Basic) : US 6256299 Bl 

NOVELTY - The data required for authorization of type of wireless 
service offered to one of wireless terminals is transferred by service 
agent to wireless switching system. The type of wireless service to be 
provided to terminals is authorized based on transferred data. The 
wireless service corresponding to received request is offered to 
terminals based on authorized type. 

DETAILED DESCRIPTION - The call between the terminals and agent 
of service provider is established based on received request . The 
terminal that is capable of using wireless service is detected before 
transmission of authorizing data. The wireless service such as domestic 
long distance call and overseas long distance call is established. An 
INDEPENDENT CLAIM is also included for wireless service establishing 
system. 

USE - For establishing specific type of wireless service to 
wireless terminals by wireless switching system controlled by wireless 
service provider. 

ADVANTAGE - Facilitates online registration of unauthorized 
wireless terminal to provide permanent service. Avoids establishment of 
long distance call using stolen wireless terminal. 

DESCRIPTION OF DRAWING (S) - The figure shows the flowchart 
explaining terminal registration process. 
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Abstract (Basic) : US 6112228 A 

NOVELTY - A list of available services from each of proxy servers 
(610,620,630,640) along the proxy chain is passed to server (610), to 
inherit available services by server (610) . A specific service is 
authenticated for client on user request and a specialized user 
interface of computer is provided using proxy server interface of 
server (610), for display of inherited services. 

DETAILED DESCRIPTION - Client (602) is directly coupled to one of 
proxy servers (610,620,630,640). The available service list includes an 
identified first default function list and a separate to be 
authenticated function list. An INDEPENDENT CLAIM is also included for 
service providing apparatus. 

USE - For providing services offered by proxy server to client 
computers coupled to network. 

ADVANTAGE - The quantity and selection of services provided to 
client may be altered by manipulating the topology of proxy servers 
coupled to the network. 

DESCRIPTION OF DRAWING (S) - The figure shows the schematic diagram 
of network topology by interconnected proxy servers. 

Client computer (602) 

Proxy servers (610,620,630,640) 
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Gateway apparatus for internet telephone system, requests 
transmission to LAN and collection of telephone call information if LAN 
side receiving call processor is disconnected and searched address is IP 
address 
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Abstract (Basic): JP 2000059415 A 

NOVELTY - Search unit (42) searches gateway address of destination, 
on request from circuit side receiving call processor (45) . If LAN side 
receiving call processor (44) processing call from computer (51), is 
disconnected from LAN and searched address is IP address, a LAN side 
transmission processor (47) requests transmission to computer (52), and 
collection of telephone call information logs from collector (49) . 

DETAILED DESCRIPTION - The circuit side receiving call processor 
(45) processes receiving call from a telephone (53) . A circuit side 
transmission processor (48) performs transmission to telephone (54) on 
request from processor (44). The telephone call information collector 
collects logs of telephone call information on request from either of 
processors (47,48). 

USE - For internet telephone system. 

ADVANTAGE - Performs transmission and reception of calls from 
personal computers in LAN, effectively since priority is given to a 
receiving call in personal computer . Reduces quantity of data for 
authentication , and time and effort for maintenance. 

DESCRIPTION OF DRAWING (S) - The figure shows the components of 
gateway apparatus . 

Search unit (42) 

LAN side receiving call processor (44) 
Circuit side receiving call processor (45) 
LAN side transmission processors (47,48) 
Collector (49) 
Computers (51,52) 
Telephones (53, 54 ) 
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Secure distribution method for delivering session keys to a chain of 
computer nodes in a network involves client and intermediate nodes 
transmitting requests and extracting session keys from an 
authentication server response 

Patent Assignee: CITRIX SYSTEMS INC (CITR-N) 

Inventor: BULL J A; OTWAY D J 

Number of Countries: 001 Number of Patents: 001 
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Abstract (Basic) : GB 2345620 A 

NOVELTY - A client node (14) initiates a transaction (94) and 
intermediate nodes (22, 2 6) transmit a request to the next node 
(96) and generate a new request (98), the final node presenting a 
nested request (100) to an authentication server (18) . The 
authentication server unravels the nested request and prepares a 
response including a session key for each node. A node receives the 
response, extracts that portion directed to it and sends the remainder 
to the next node. 

DETAILED DESCRIPTION - An INDEPENDENT CLAIM is also included for a 
system for securely distributing a session key by way of a network. 

USE - The secure distribution method is used for delivering session 
keys to a chain of computer nodes in a network. 

ADVANTAGE - Each node receives a session key with a single traverse 
of the chain. The forward and reverse protocols easily generalize for 
any number of nodes and may employ one-way hash functions to seal 
requests and response functions and to encode/encipher session keys. 

DESCRIPTION OF DRAWING (S) - The figure shows a flow chart and block 
diagram representation of a process by which embedded requests are 
generated. 
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Abstract (Basic) : WO 200056028 Al 

NOVELTY - A secure network has clients (14) connected to LANs 
(12,22). A security server (20) separated from network server has 
database storing access rights for network. A security agent (18) at 
data storage device storing protected data controls data access. The 
agent (18) communicates with server over the network in response to 
access request from a client to determine access right for 
client to protected data. 

DETAILED DESCRIPTION - An INDEPENDENT CLAIM is also included for 
security controlling method in network. 

USE - For internet and intranet applications. Also, applicable in 
peer-to-peer system. Especially for electronic commerce for business to 
business and home to business applications, copyright controlled 
content distributions of software, reference and entertainment 
materials metering of content and service, secure storage of state and 
value, securing business and personal activity to networks, protecting 
information based upon client specific business rules, intelligent, 
security aware information flow filtering. 

ADVANTAGE - The secure network is fast and transparent to end-users 
as long as the user is performing his duties and not contravening the 
security policy. The valid access attempts are ensured quickly and 
invalid ones are quickly disallowed. The security system provides for 
true security policy customization and mediates specific information 
regardless of the security policy. 

DESCRIPTION OF DRAWING (S) - The figure shows the diagram of secure 
network in business to business environment. 

LANs (12,22) 

Client (14) 
* Security agent (18) 

Security server (20) 
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Abstract (Basic): WO 200044130 Al 

NOVELTY - Subscription information relating to subscription with 
operator of GSM network (120) is read from IC card (160) at terminal 
operated by end user. Message containing verification request of end 
user is transmitted from server (14 0) to gateway node (100) 
connected to internet protocol (IP) based network (110) and GSM 
network. Gateway node provides services to end user on IP network after 
verifying end user. 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for the 
following : 

(a) system for providing services on internet protocol based 
network; 

(b) gateway node 

USE - For providing services on internet protocol based network to 
which end user and server are connected. 

ADVANTAGE - Verifies the end user accessing IP network simply and 
reliably by gateway node. 

DESCRIPTION OF DRAWING (S) - The figure shows services providing 
system . 

Gateway node (100) 

IP based network (110) 

GSM network (120) 

Server (140) 

IC card (160) 
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Abstract (Basic) : US 5991810 A 

NOVELTY - The request estabilised at the client (32) for 
transformation of information, is modified at the gateway client (22) 
according to directory service user name hierarchy and transmitted 



to proxy cache server (50) . The proxy server reads the request 
and determines the access permission based on preset access parameters. 
The permitted information are received from proxy server and 
transmitted to the client. 

DETAILED DESCRIPTION - The transfer request is modified by 
appending a header formatted accessing to directory service user name 
hierarchy and the context of the client within client organizational 
structure. The transfer request is a hyper text transfer protocol 
request. An INDEPENDENT CLAIM is also included for the system for 
controlling access by clients to information stored in a proxy cache 
server linked with a remote site. 

USE - Used to restrict users from accessing specified web sites 
by gateway clients through proxy cache server. 

ADVANTAGE - The arrangement restricts access by unauthorized 
users to specified web information stored in the proxy cache server and 

prevents the proxy server from retrieving web site information 
through internet for such unauthorized users. 

DESCRIPTION OF DRAWING (S) - The figure shows the network 
architecture level block diagram of a network including a proxy cache 
server in which access by users to the proxy server is regulated. 

Gateway client (22) 

Client (32) 

Proxy cache server (50) 
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Abstract (Basic): EP 924630 Al 

NOVELTY - The user (1) has access to the World Wide Web via a 
proxy server (2). This intercepts user access requests and sends 
header requests to accessed sites (3). If the site has contents (4) 
that are chargeable, the proxy contacts an Internet Service Broker (6). 
The IP address of the user is provided or a request made for the broker 
to seek confirmation from the user. The proxy server then retrieves 
chargeable data from the web site. 



USE - Internet access to chargeable content sites. 

ADVANTAGE - Allows the user to largely automatically handle billing 
for access to chargeable sites. 

DESCRIPTION OF DRAWING (S) - The drawing shows a block diagram of 
the internet access system. 

User accessing web sites (1) 

Proxy server intercepting and verifying charging needs and 
payments (2) 

Chargeable content site {3,4) 

Internet service broker handling authentication and billing (6) 
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Abstract (Basic) : WO 9904547 A 

NOVELTY - The multimedia telecommunications call centre (10) 
receives incoming calls via a gateway (14) sending call requests 
to a multipoint controller (20) controlling call routing to a desired 
terminal (22 and 23) on a network (30) with the physical call data 
stream carried directly across the network without controller mediation 
obviating bottlenecks. 

USE - For providing multimedia call handling between terminals. 

ADVANTAGE - Avoids bottlenecks in system. DESCRIPTION OF DRAWING (S) 
- The drawing shows a multimedia call centre. (10) multimedia call 
centre; (14) gateway; (20) virtual switch; (22) first terminal; (23) 
second terminal; (30) network. 
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Abstract (Basic): WO 9844403 A 

The method involves starting an intermediary process on the first 
computer . The intermediary process has sufficient permission to 
perform the first operation on the first object. The first process 
communicates a first request to the intermediary process to 
perform the first operation on the first object. The intermediary 
process performs the first operation on the first object in response to 
the first request. A second operation is performed on a second object 
in the first computer system by a second process which lacks sufficient 
permission to perform the second operation on the second object. The 
intermediary process has sufficient permission to perform the second 
operation on the second object. 
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Abstract (Basic) : US 5649099 A 

ACPs are programs that encode arbitrary specifications of delegated 
access rights . A client creates an ACP and associates it with a 
request to a server, the request being made through one or more 
intermediaries . 

When processing a request received from an intermediary, the server 
executes the access control program to determine whether or not to 
grant the request . 

USE/ADVANTAGE - In computing system comprising server, client, and 
intermediary , to process ultimate request delivered to server as 
final request in chain comprising linked requests, client and all 
intermediaries each being associated with one linked request of 
chain, intermediary that delivers ultimate request to server 
being final intermediary in chain and being designated as requestor. 
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French Abstract 

L 1 invention concerne un systeme de paiements virtuels pour commander des 
biens, des services et du contenu par un reseau d ' interconnexion . Le 
systeme de paiements virtuels comprend un composant de passerelle 
commerciale (52) et un composant serveur de traitement de credits (53) . 
Le systeme de paiements virtuels se presente comme un systeme sur et 
ferme comprenant des vendeurs et des acheteurs enregistres. Un acheteur 
devient participant enregistre en faisant une demande d'ouverture de 
compte de paiements virtuels. De maniere similaire, un vendeur devient 
participant enregistre en faisant une demande d'ouverture de compte de 
vendeur virtuel. Un acheteur peut instantanement ouvrir un compte en 
ligne grace au composant de traitement de credits (53) qui fait 
immediatement une evaluation de la demande de l 1 acheteur pour une carte 
de paiements virtuelle et attribue une limite de credit a son compte. Une 
fois le compte mis en place, un certificat numerique est stocke dans 
1'ordinateur du participant enregistre. L 1 acheteur peut alors commander 
un produit tel que des biens, des services et du contenu chez un vendeur, 
qui portera ces commandes sur le compte de paiements virtuels. Lorsque le 
produit est expedie, le vendeur en informe le composant de passerelle 
commerciale (52) qui, a son tour, informe le serveur de traitement de 
credits, qui porte le montant du sur le compte de paiements virtuel de 
1' acheteur. L 1 acheteur peut regler la somme due en utilisant un compte a 
paiement anticipe, un compte de credit ou des points bonus acquis grace a 
1 ' utilisation de la carte de paiements virtuels. Un acheteur peut creer 
des comptes auxiliaires . 
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Claims 
Claim 

... 64 of the buyer computer 50. The logic then proceeds to a decision 
block 304 where a test is made to determine whether the purchase request 

should be forwarded to the commerce gateway adapter 76. If the 
purchase request is to purchase products using a virtual payment 
account, the request should be forwarded to the commerce gateway 
adapter 76 for processing in accordance with the, virtual payment system 
of the present invention. In another embodiment, only the request 
(without the account identification container) is received from the Web 
browser in block 302, and if it is detennined in decision block 304 that 
the purchase request should be forwarded to the commerce gateway 
adapter 76, the account identification is then obtained from the Web 
browser 64. In either case, if it is determined in decision block 304, 
that the purchase request should be forwarded to the commerce 
gateway adapter 7 6, the logic proceeds to a block 306 where the request 

is forwarded to the commerce gateway adapter. The commerce gateway 
adapter 76 is shown in more detail in FIGURE 19 and described next. 
The commerce gateway adapter 76 is a component residing on the seller... 
logic of FIGURE I 8 then ends in a block 324. 1 0 However if at decision 
block 304, it is determined that the purchase request should not be 
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English Abstract 

One or more embodiments of the invention comprise a computing environment 
that offers a level of decentralization wherein application server code 
resident on a remote application server can be distributed to a local 
server. The local server becomes a local application server for a client. 
A request for information by a client is serviced by a request handler on 



the local application server. If the information is available on the 
local application server, the request handler satisfies the request using 
this information. If the information is not available locally, the 
request handler can access the remote application server to obtain the 
requested information. When the information is copied to the local 
application server, the request handler retains a copy of the information 
and forwards a copy to the client. Thus, subsequent requests can be 
satisfied without accessing the remote application server. Where the 
information cannot be transferred to the local application server, the 
request handler can establish a proxy to the remote application server 
that forwards a client request to the remote application server and a 
response from the remote application server to the client. The client 
communicates with the remote application server via the proxy on the 
local application server and is unaware of the remote application server. 
During a login process, the client establishes its identity which can be 
used for multiple applications and information requests. The local 
server generates a credential for the client that can be used to 
authorize access to any application server and/or service needed by 
the client. 



French Abstract 

Un ou plusieurs modes de realisation de l 1 invention comprennent un 
environnement informatique qui offre un niveau de decentralisation dans 
lequel un code serveur d ? application loge sur un serveur d ' application a 
distance peut etre distribue a un serveur local. Ce serveur local devient 
un serveur d 1 application local pour un client. Une demande d ' information 
d'un client est satisfaite par un pilote de demande sur le serveur 
d 1 application local. Si 1 1 information est disponible sur le serveur 
d ' application local, le pilote de demande satisfait la demande en 
utilisant cette information. Si 1 1 information n'est pas disponible 
localement, le pilote de demande peut avoir acces au serveur 
d ' application a distance de facon a obtenir 1 1 information demandee . 
Lorsque 1 1 information est copiee au niveau du serveur d ' application 
local, le pilote de demande garde une copie de 1 1 information et fait 
suivre une copie au client. Ainsi, des demandes ulterieures peuvent-elles 
etre satisfaites sans qu'il soit necessaire d'acceder au serveur 
d ' application a distance. Lorsque 1 1 information ne peut pas etre 
transferee au serveur d ' application local, le pilote de demande peut 
definir un mandataire au niveau d'un serveur d 1 application a distance qui 
envoie une demande de client au serveur d' application a distance et une 
reponse emanant du serveur d ' application a distance au client. Le client 
communique avec le serveur d ' application a distance via le mandataire sur 
le serveur d ' application local et le serveur d ' application a distance est 
invisible du point de vue de ce client. Au cours d'un processus d' entree 
en communication, le client etablit son identite qui peut etre utilisee 
pour de multiples applications et demandes d 1 information . Le serveur 
local genere un passe pour le client qui peut etre utilise pour autoriser 
l 1 acces a tous les serveurs d ' application et/ou aux services necessaires 
au client. 



Legal Status (Type, Date, Text) 



Publication 

Search Rpt 
Examination 



20000914 A2 Without international search report and to be 

republished upon receipt of that report. 
20001228 Late publication of international search report 
20010201 Request for preliminary examination prior to end of 
19th month from priority date 



Main International Patent Class: G06F-009/46 



English Abstract 

...client. Thus, subsequent requests can be satisfied without accessing 
the remote application server. Where the information cannot be 
transferred to the local application server, the request handler can 
establish a proxy to the remote application server that forwards a 
client request to the remote application server and a response from the 
remote application server to the client. The client communicates with the 
remote application server via... 



.the remote application server. During a login process, the client 
establishes its identity which can be used for multiple applications and 
information requests. The local server generates a credential for the 

client that can be used to authorize access to any application 
server and/or service needed by the client. 
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English Abstract 

Embodiments of the invention comprise a method and apparatus for 
authenticating secure access to computer networks. Embodiments of the 
invention control and manage access to a computer intranet from an 
extranet. Access to the intranet is allowed such that specified packets 
are permitted to penetrate the intranet's gateway and transmitted to a 
reverse proxy. The reverse proxy configurations authenticate a user, 
provide logging (e.g., intranet access), forward user credentials to 
intranet applications and provide a mapping between external references 
to intranet resources and their internal references. Mappings can be 
expressed literally or as a pattern expression. 

French Abstract 

Dans certains de ses modes de realisation, cette invention concerne un 
procede et un appareil permettant un acces sur et authentifie a des 
reseaux d 1 ordinateurs . Parmi ces modes de realisation, certains 
commandent et gerent 1 ? acces d'un extranet a un intranet. L' acces a 
1' intranet est autorise pour que des paquets specif iques puissent 
penetrer la passerelle d' intranet et transmis a une passerelle mandataire 
de retour. Les configurations mandataires de retour authentif ient 
1 1 utilisateur, lui permettent de se connecter (par exemple, d f acceder a 
intranet), acheminent les preuves d'identite vers les applications 
intranet et realisent une mise en correspondance entre les references 
externes aux ressources intranet et leurs references internes. Les mises 
en correspondance peuvent etre exprimees litteralement ou sous forme de 
motifs . 
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Detailed Description 



or between an 

intranet application (or user) and an extranet (e.g., the Internet). To 
access the Internet, for example, an intranet user sends a request: 
directed to the Internet to the proxy server which forwards the 
request unchanged to the Internet. 

Neither the firewall nor a proxy server allow access by an 
authorized 

user attempting to gain access to the corporation's intranet from outside 
the intranet. The purpose of the firewall is to prohibit external access. 
A. . . Redirector 804B redirects 

a request to either authenticator 804A or proxy 804C components of web 
tunnel 800. Authenticator 804A produces material that is used to 

authenticate client 802 to proxy 804C. Proxy 804C performs the 
function of receiving requests for web servers 806 and 808 and 
forwarding requests to them. 

When redirector 804B receives a URL from client 802, redirector 804B 
packages the URL inside another URL that identifies either authenticator 
15 804A...the generic identification or 

pattern can be used to determine whether an external reference is 
translated to its internal reference and vice versa. 

If reverse proxy 204 determines that a user's request is directed to 
a 

permitted resource, reverse proxy 204 forwards the request via the 
intranet to a destination to access the resource. For example, a request 

from a user who is authorized to access application server 212A is 
forwarded by reverse proxy 204 to proxy server 210 (via line 234) as 
plain text. Proxy server 210 directs the 

request to application server 212A, via line 224. Application servers 
212A-212C receive a request from proxy server 210 via lines... 202 has 
been authenticated and reverse proxy 204 is aware of the access 
privileges associated with the user of client 202. 

Client 202 transmits a request to reverse proxy 204. An authenticated 
user's authorized access request is forwarded to the intranet 
resource. For example, a request from an authenticated user to access 
application server 212A (e.g., an application that is running on 
application server 212A) is forwarded to application server 212A via 
proxy server 210 by reverse proxy ... request can be processed by the 
application. Reverse proxy 204 forwards the request and credentials (that 
includes a userid) to application server 212A via proxy server 210. 

User Login and Authentication 

Reverse proxy 204 interacts with authentication server 208 to 

authenticate a user and retrieve a user's access privileges. A user's 
access privileges are used by reverse proxy 204 to determine whether a 
request to access an intranet resource is authorized. An authenticated 
user's authorized access request is forwarded to the intranet 
resource, Figure 4 illustrates a 

login and authentication model according to an embodiment of the 
invention. 

To access the intranet initially, the... the user's 

request. If the user does not have the authority to access the intranet 
resource (s), a rejection message can be sent to client 202. If the 
user 1 s 

credentials indicate that the user has authority to access the intranet 
resource(s), reverse proxy 204 forwards the request to intranet 248 
(e.g., proxy server 210). 

Request Processing Flow 
In an embodiment of the invention, reverse proxy 204 processes 
requests received from both authenticated and unauthenticated users. 
Figure 5 provides a request processing process flow according to an 
embodiment of the invention. . . 
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English Abstract 

An automatically invoked intermediation process for network purchases by 
subscribing purchasers (300) from subscribing merchants (302) includes 
the step of establishing a resource rules database (312) at the network 
site of each subscribing purchaser which, one aspect of the 
intermediation process, includes information encoding 

resource-locator-data identification criteria corresponding to restricted 
access ports at subscribing merchant sites (302) and access fee 
information for purchasing content by way of the corresponding port. Upon 
receipt of a user communication indicating approval, a purchase request 
message is transmitted to a transaction processing site (304). Upon 
verification of purchaser site credentials, the target resource is 
retrieved from the subscribing merchant site using access-restriction 
override information being encrypted and forwarded to the subscribing 
purchaser site. 

French Abstract 

L' invention concerne un procede d ' intermediation a appel automatique 
concu pour permettre a des acheteurs abonnes (300) d'effectuer des achats 
sur un reseau aupres de commercants abonnes (302). Ce procede consiste a 
etablir, au niveau du site du reseau de chaque acheteur abonne, une base 
(312) de donnees de regies regissant les ressources. Pour un aspect du 
procede, la base contient, d'une part des informations codant des 
criteres d ' identification de donnees de localisation de ressources 
correspondant a des ports d'acces restreints desservant des sites (302) 
des commercants abonnes, et d 1 autre part des informations relatives a la 
redevance des acces pour 1 ' achat d'un contenu via le port correspondant. 
A la reception d f une communication utilisateur correspondant a 
1 ' approbation, le systeme transmet a un site (304) de traitement des 
transactions un message de demande d' achat. Apres verification des droits 
attaches au site de 1' acheteur, le systeme extrait du site du commercant 
abonne la ressource cible. On utilise pour cela des informations 
permettant de revenir sur les restrictions d'acces, lesquelles 
informations sont codees , puis envoyees au site de 1 1 acheteur abonne . 

Main International Patent Class: G06F 
Fulltext Availability: 
Detailed Description 



Detailed Description 

request message is transmitted from the trust server to the proxy 
content server over the private network interconnecting the trust server 
and the proxy account server . The verified -account-identity 
purchase-request message includes data encoding the version 
identification number for the intermediation procedure taken from the 
redirected purchase- request message previously forwarded to the trust 
server from the proxy content server, a third step identifier code 
number a3, the resource encryption key generated at the trust server, and 
the URL for the target resource... 
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English Abstract 

A client (165) stores a first set of workspace data (180), and is 
coupled via a computer network (120) to a global server (115). The client 

(165) may be configured to synchronize portions of the first set of 
workspace data (180) with the global server(115), which stores 
independently modifiable copies (163) of the portions. The global server 

(115) may also store workspace data (163) which is not downloaded from 
the client (165), and thus stores a second set of workspace data (163). 
The global server (115) may be configured to identify and authenticate a 
user seeking global server access from a remote terminal (105) , and is 
configured to provide access to the first set (180) or to the second set 

(163) . Further, services (615) may be stored anywhere in the computer 
network (100). The global server (115) may be configured to provide the 
user with access to the services (615). The system (100) may further 
include a synchronization-start module (820) at the client site (165) 

(which may be protected by a firewall (135)) that initiates 
interconnection and synchronization with the global server (115) when 
predetermined criteria have been satisfied. 



French Abstract 

Selon 1' invention, un systeme client conserve un premier ensemble de 
donnees d'espace de travail, il est couple via un reseau informatique a 
un serveur global et il peut etre configure pour synchroniser des 
portions du premier ensemble de donnees d'espace de travail avec le 
serveur global, lequel conserve de maniere independante des copies 
modifiables des portions. Le serveur global peut egalement conserver des 
donnees d'espace de travail qui ne sont pas telechargees a partir du 
systeme client et done conserve un second ensemble de donnees d'espace de 
travail. Le serveur global peut etre configure pour identifier et 
authentifier un utilisateur cherchant a acceder au serveur global a 
partir d'un terminal situe a distance, et il est configure pour permettre 
l'acces au premier ou au second ensemble de donnees. En outre, des 
services peuvent etre conserves n'importe ou dans le reseau informatique. 
Le serveur global peut etre configure pour permettre a 1 ' utilisateur 
l'acces aux services. De surcroit, ce systeme peut comprendre, au niveau 
du site client (lequel peut etre protege par un pare-feu) , un module de 
synchronisat ion/demarrage qui declenche 1 ' interconnexion et la 
synchronisation avec le serveur global lors de la rencontre de criteres 
determines . 

Main International Patent Class: G06F-013/00 
Fulltext Availability: 
Detailed Description 

Detailed Description 

... 1050b ends. Otherwise, method 1050b returns to step 1325 to obtain 
another request. If the global server 115 in step 1330 determines that it 
is authorized to perform the io remote terminal 105 user's request, 
then the global server 115 in step 1340 acts as the proxy for the remote 
terminal 105 to the service 615. As proxy , the global server 115 
forwards the service request to the selected service 61 5 and 
forwards responses to the requesting applet 359 currently executing on 
the remote terminal 105. Method 1050b then jumps to step 1345. 

FIG. 14 is a flowchart... 
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English Abstract 

The invention features various techniques for managing transfers of 
information in public packet switched communications networks. In one 
aspect, the invention provides a system for identifying updated items of 
network-based information, such as pages, to users (16) in a network (12, 
14, 30) . Another aspect of the invention features a system for 



implementing security protocols. Another aspect of the invention features 
a system for managing authenticating credentials of a user (16). Another 
aspect of the invention features a system for inducing advertisers to 
target advertisements to consumers (16). Another aspect of the invention 
features a system for extracting data from sources of network-based 
information in a communications network (12, 14, 30). 

French Abstract 

L' invention concerne differentes techniques pour gerer les transferts 
d 1 information dans un reseau public de communication a commutation par 
paquets. Selon un aspect, 1* invention concerne un systeme permettant 
d ' identifier, au benefice des utilisateurs (16) du reseau (12, 14, 30), 
des elements mis a jour d ' informations en reseau, comme par exemple des 
pages. Un autre aspect de 1' invention concerne un systeme de mise en 
oeuvre de protocoles de securite. Un autre aspect de 1' invention concerne 
un systeme permettant de verifier I'identite d'un utilisateur (16). Un 
autre aspect encore de l 1 invention concerne un systeme incitant les 
utilisateurs a cibler leur publicite en fonction des consommateurs (16). 
Un autre aspect enfin de 1 ? invention concerne un systeme permettant 
d'extraire des donnees de sources d' informations en reseau, dans le 
reseau de communication (12, 14, 30). 
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Detailed Description 

... request. A proxy server, implemented on 

a computer, maintains a table of authenticating 
35 credentials for each of the plurality of network servers, 
receives the request from the network tool, and forwards 
the request to the network server. The proxy server 
receives a request for authentication from the one of the 
network servers , retrieves from the table authenticating 
5 credentials for the network server , transmits the 
authenticating credentials to the network server , 
receives the item of network-based information from the 
network server, and forwards the item of network@based 
information to the network tool, 

By providing a proxy server that manages a user's 

authenticating credentials automatically on behalf of a 
user, the invention enables the user to avoid having to 
assume the responsibility of managing and remembering a 
large... the service. 

The credentials may be a simple user ID and password or a 
public key and private key pair. 

To manage the user's credentials automatically, 

the proxy server stores a table 40 of pairs <S. C>, where 

S represents the name of a subscription servicefs server 

and C represents the corresponding credentials for that 

service, The table is stored on the user's computer and 

is protected by a single password or smart card, When 

the user first starts a Web session, proxy server 34 will 

ask the user to supply that secret. 

When browser 36 requests a page (or other item of 
network-based information) from network server 38, proxy 
server 34 forwards the request to network server 38. 
Network server 38 may respond with a "please 
authenticate" message. At. this point, browser 36 would 
ordinarily display a dialog box. . . 
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Nachrichten- unci Kommunikations system in einem Netz 
Sy steme de messagerie et communication dans un reseau 

PATENT ASSIGNEE: 

LUCENT TECHNOLOGIES INC., (2143720), 600 Mountain Avenue, Murray Hill, 
New Jersey 07974-0636, (US), (Applicant designated States: all) 
INVENTOR: 

Rai, Girish, 523 Lady Smith Road, Bartlett, Du Page, Illinois 60103, (US) 
Chuah, Mooi Choo, 184B Eatoncrest Drive, Eatontown, New Jersey 07724, 
(US) 

Parsons, Philip M. , 6393 Glenbrook Court, Lisle, Illinois 60532, (US) 
LEGAL REPRESENTATIVE: 

Johnston, Kenneth Graham et al (32381), Lucent Technologies (UK) Ltd, 5 
Mornington Road, Woodford Green Essex, IG8 OTU, (GB) 
PATENT (CC, No, Kind, Date) : EP 918417 A2 990526 (Basic) 

EP 918417 A3 991124 
APPLICATION (CC, No, Date) : EP 98308355 981013; 
PRIORITY (CC, No, Date): US 61915 P 971014; US 138677 980824 
DESIGNATED STATES: DE; FR; GB; IT; SE 
EXTENDED DESIGNATED STATES: AL; LT; LV; MK; RO; SI 

INTERNATIONAL PATENT CLASS: H04L-012/28; H04L-012/66; H04L-029/06; 
H04Q-007/22 

ABSTRACT EP 918417 A2 

A Message and communication system in a coupled data network is 
disclosed. The coupled data network includes a foreign network and a home 
network. The foreign network includes a foreign base station with a 
foreign access hub, the foreign access hub including a first serving 
inter-working function. The home network includes a first home 
inter-working function. A first mobile end system is a subscriber to the 
home network and operates within the foreign network. A first message is 
transportable between the first mobile end system and a first 
communications server through the first home inter-working function and 
through the first serving inter-working function of the foreign access 
hub in the foreign base station. 
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...SPECIFICATION advertisement messages sent by a near by foreign agent to 
discover the identity of the FA and to register. During this phase, the 
user registration agent of the end system selects a FA and issues a 
registration request to it. The FA acting as a proxy registration 
agent forwards the registration request to its registration server 
(the registration server in the foreign WSP) . The registration server 
uses User-Name from the user registration agent 1 s request to 



determine the end system's home network, and forwards the registration 
request for authentication to a registration server in the home 
network. Upon receiving the registration request relayed by the foreign 
registration server , the home registration server authenticates the 
identity of the foreign registration server and also authenticates 
the identity of the end system. If authentication and registration 
succeeds, the home registration server selects an IWF in the home network 
to create an. . . 

.server in the home network and the identities of the foreign network and 
the home network to each other. To perform this function, the foreign 
agent forwards the end system's registration request using, for 
example, an IETF Radius protocol to a registration server in its local 
MSC in a Radius Access-Request packet. Using the end system... 

.domain name, the foreign registration server determines the identity of 
the end system's home network and home registration server, and acting as 
a Radius proxy , encapsulates and forwards the request to the end 
system's home registration server. If the foreign registration server 
cannot determine the identity of the end system's home, it may... 

.foreign agent's registration request and the foreign agent rejects the 
end system's registration request. Upon receiving the Radius 
Access-Request, the home registration server performs the necessary 
authentication of the identities of the foreign network and the end 
system. If authentication and registration succeeds, the home 
registration server responds with a Radius Access... 
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ABSTRACT EP 917328 A2 

A wireless data network which provides communications with a Pier to 
Pier Protocol server is disclosed. A home network includes a home mobile 
switching center and a wireless end system, the home mobile switching 
center including a home registration server and a home inter-working 
function, the wireless end system including an end registration agent, 
the end registration agent being coupled to the home registration server. 
The wireless data network also includes a PPP server, wherein a message 
is coupleable from the end system through the home inter-working function 
to the PPP server. 
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.SPECIFICATION advertisement messages sent by a near by foreign agent to 
discover the identity of the FA and to register. During this phase, the 
user registration agent of the end system selects a FA and issues a 
registration request to it. The FA acting as a proxy registration 
agent forwards the registration request to its registration server 
(the registration server in the foreign WSP) . The registration server 
uses User-Name from the user registration agent f s request to 
determine the end system's home network, and forwards the registration 
request for authentication to a registration server in the home 
network. Upon receiving the registration request relayed by the foreign 
registration server , the home registration server authenticates the 
identity of the foreign registration server and also authenticates 
the identity of the end system. If authentication and registration 
succeeds, the home registration server selects an IWF in the home network 
to create an . . . 



.server in the home network and the identities of the foreign network and 
the home network to each other. To perform this function, the foreign 
agent forwards the end system's registration request using, for 
example, an IETF Radius protocol to a registration server in its local 
MSC in a Radius Access-Request packet. Using the end system... 

.domain name, the foreign registration server determines the identity of 
the end system's home network and home registration server, and acting as 
a Radius proxy , encapsulates and forwards the request to the end 
system's home registration server. If the foreign registration server 
cannot determine the identity of the end system's home, it may... 

.foreign agent's registration request and the foreign agent rejects the 
end system's registration request. Upon receiving the Radius 
Access-Request, the home registration server performs the necessary 
authentication of the identities of the foreign network and the end 
system. If authentication and registration succeeds, the home 
registration server responds with a Radius Access... 
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ABSTRACT EP 917320 A2 

A wireless data network includes a wireless packet switched data 
network for end users that divides mobility management into local, micro, 
macro and global connection handover categories and minimizes handoff 
updates according to the handover category. The network integrates MAC 
handoff messages with network handoff messages. The network separately 
directs registration functions to a registration server and direct 
routing functions to inter-working function units. The network provides 
an intermediate XTunnel channel between a wireless hub (also called 
access hub AH) and an inter-working function unit (IWF unit) in a foreign 
network, and it provides an IXTunnel channel between an inter-working 
function unit in a foreign network and an inter-working function unit in 
a home network. The network enhances the layer two tunneling protocol 
(L2TP) to support a mobile end system, and it performs network layer 
registration before the start of a PPP communication session. 
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. SPECIFICATION advertisement messages sent by a near by foreign agent to 
discover the identity of the FA and to register. During this phase, the 
user registration agent of the- end system selects a FA and issues a 
registration request to it. The FA acting as a proxy registration 
agent forwards the registration request to its registration server 
(the registration server in the foreign WSP) . The registration server 
uses User-Name from the user registration agent ! s request to 
determine the end system's home network, and forwards the registration 
request for authentication to a registration server in the home 
network. Upon receiving the registration request relayed by the foreign 
registration server , the home registration server authenticates the 
identity of the foreign registration server and also authenticates 
the identity of the end system. If authentication and registration 
succeeds, the home registration server selects an IWF in the home network 
to create an . . . 



.server in the home network and the identities of the foreign network and 
the home network to each other. To perform this function, the foreign 
agent forwards the end system's registration request using, for 
example, an IETF Radius protocol to a registration server in its local 
MSC in a Radius Access-Request packet. Using the end system... 

.domain name, the foreign registration server determines the identity of 
the end system's home network and home registration server, and acting as 
a Radius proxy , encapsulates and forwards the request to the end 
system's home registration server. If the foreign registration server 
cannot determine the identity of the end system's home, it may... 

.foreign agent's registration request and the foreign agent rejects the 
end system's registration request. Upon receiving the Radius 
Access-Request, the home registration server performs the necessary 
authentication of the identifies of the foreign network and the end 



system. If authentication and registration succeeds, the home 
registration server responds with a Radius Access... 
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ABSTRACT EP 912027 A2 

An inter-working function selection system in a coupled data network is 
disclosed. The coupled data network includes a foreign network and a home 
network. The foreign network includes a foreign mobile switching center 
with a serving registration server. The home network includes a home 
mobile switching center with a home registration server and a plurality 
of unassigned home inter-working functions. A first end system is a 
subscriber to the home network and operates within the foreign network. 
The first end system includes an end registration agent to form a 
registration request, the end registration agent sending the registration 
request through the serving registration server to the home registration 
server, the home registration server including a module to select an 
active home inter-working function from the plurality of unassigned home 
inter-working functions based on the registration request. 
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...SPECIFICATION advertisement messages sent by a near by foreign agent to 
discover the identity of the FA and to register. During this phase, the 
user registration agent of the end system selects a FA and issues a 
registration request to it . The FA acting as a proxy registration 
agent forwards the registration request to its registration server 
(the registration server in the foreign WSP) . The registration server 
uses User-Name from the user registration agent 1 s request to 
determine the end system 1 s home network, and forwards the registration 



request for authentication to a registration server in the home 
network. Upon receiving the registration request relayed by the foreign 
registration server , the home registration server authenticates the 
identity of the foreign registration server and also authenticates 
the identity of the end system. If authentication and registration 
succeeds, the home registration server selects an IWF in the home network 
to create an. . . 

.server in the home network and the identities of" the foreign network and 
the home network to each other. To perform this function, the foreign 
agent forwards the end system's registration request using, for 
example, an IETF Radius protocol to a registration server in its local 
MSC in a Radius Access-Request packet. Using the end system... 

.domain name, the foreign registration server determines the identity of 
the end system's home network and home registration server, and acting as 
a Radius proxy , encapsulates and forwards the request to the end 
system's home registration server. If the foreign registration server 
cannot determine the identity of the end system's home, it may... 

.foreign agent's registration request and the foreign agent rejects the 
end system's registration request. Upon receiving the Radius 
Access-Request, the home registration server performs the necessary 
authentication of the identities of the foreign network and the end 
system. If authentication and registration succeeds, the home 
registration server responds with a Radius Access... 
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English Abstract 

A communication system (100) and a method for operating the same are 
described to provide seamless, automatic routing of telephone calls over 
a public switched telephone network (PSTN 160), an internet protocol (IP) 
network (145), a public-wireless-network (150) and a 
private-wireless-network (120) . In one embodiment, the system (100) 
comprises a plurality of gateway networks (105) coupled to the PSTN 
(160), IP network (145) and the public-wireless-network (150). The 
gateway networks (105) are configured to automatically select over which 
of the IP network (145), PSTN (160) or the public-wireless-network (150) 
to route the telephone call. Preferably, the gateway networks (105) are 
configured to reroute an in-progress telephone call over the IP network 
(145) over the PSTN (160) if a delay in transmission of date packets, 
losses in transmission of data packets, or jitter exceeds a specified 
maximum. More preferably, the gateway networks (105) are configured so 
that the routing of the telephone call is substantially transparent to 
the calling party and to the called party. 

French Abstract 

L 1 invention concerne un systeme de communication (100) et un procede 
d 1 exploitation de ce dernier qui sont destines a assurer un routage 
automatique et sans a-coups des appels telephoniques dans un reseau 
telephonique public commute (RTPC 160), un reseau protocole Internet (IP 
145), un reseau public sans fil (150) et un reseau prive sans fil (120). 
Dans un mode de realisation, le systeme (100) comprend plusieurs reseaux 
passerelles (105) couples au RTPC (160), au reseau IP (145) et au reseau 
public sans fil (150) . Les reseaux passerelles (105) sont configures pour 
selectionner automatiquement le reseau IP (145), RTPC (160) ou le reseau 
public sans fil (150) a travers lesquels s'effectue le routage de l'appel 
telephonique. De preference, les reseaux passerelles (105) sont 
configures pour rerouter un appel telephonique en cours dans le reseau IP 
(145) a travers le RTPC (160) si un delai ou des pertes dans la 
transmission de paquets de donnees ou encore la gigue depassent un 
maximum indique. De preference, les reseaux passerelles (105) sont 
configures de maniere a ce que le routage de l'appel telephonique soit 
sensiblement transparent a 1 ' appelant comme a l'appele. 
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Detailed Description 

. . . station 290B currently associated with the called mobile phone 285B is 
notified of the call setup request. This request is forwarded to the 
wireless gatekeeper server 295, which may authenticate the mobile 
identification of the caller mobile phone 285A. Assuming the 
authentication passes, the wireless gatekeeper sever 295 forwards the 
call setup request with the caller mobile identification to the 
gateway server software 175. The gateway server software 175 checks 
its database 180 to obtain the user information for the caller, and it 
also uses the dialed office extension to look. . . 
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Claims 

Fulltext Word Count: 13627 
English Abstract 

A method of determining a geographic location of an Internet user 
involves determining if the host is on-line, determining ownership of the 
host name, and then determining the route taken in delivering packets to 
the user. Based on the detected route, the method proceeds with 
determining the geographic route based on the host locations and then 
assigning a confidence level to the assigned location. A system collects 
the geographic information and allows web sites or other entities to 
request the geographic location of their visitors. The database of 
geographic locations may be stored in a central location or, 
alternatively, may be at least partially located at the web site. With 
this information, web sites can target content, advertising, or route 
traffic depending upon the geographic locations of their visitors. 
Through web site requests for geographic information, a central database 
tracks an Internet user's traffic on the Internet whereby a profile can 
be generated. In addition to this profile, the central database can store 
visitor's preferences as to what content should be delivered to an IP 
address, the available interface, and the network speed associated with 
that IP address. 

French Abstract 

L' invention concerne un procede permettant de determiner la localisation 
geographique d'un utilisateur Internet. Ce procede consiste a determiner 
si 1 ' hote est connecte, a identifier le proprietaire du nom d'hote puis a 
determiner la trajectoire suivie par les paquets envoyes a 1 ' utilisateur . 
En fonction de la trajectoire detectee, ce procede determine ensuite la 
trajectoire geographique a partir des positions de l'hote puis attribue 
un niveau de confiance a la position determinee. Un systeme collecte 
cette information geographique et permet aux sites Web ou a d'autres 



entites de demander la position geographique de leurs visiteurs . La base 
de donnees des positions geographiques peut etre memorisee dans un 
emplacement central ou peut etre au moins partiellement placee dans le 
site Web. Grace a cette information, les sites Web sont en mesure de 
cibler, le contenu, la publicite ou le trafic en fonction des positions 
geographiques de leurs visiteurs. Une base de donnees centrale utilise 
les demandes de sites Web relatives a une information geographique pour 
detecter le trafic de donnees genere par un utilisateur dans Internet et 
definir un profil en consequence. En plus de ce profil, la base de 
donnees centrale peut memoriser les preferences du visiteur en ce qui 
concerne le contenu a fourni a une adresse IP, 1' interface disponible et 
la vitesse de reseau associee a cette adresse IP. 
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English Abstract 

Multiple home agents for a home agent service provider network are 
implemented in a single computing platform in software as multiple 
virtual home agents. Each home agent is assigned or dedicated to a single 
virtual private network. Any number of home agents can be realized in the 
computing platform by multiple instantiations of a home agent program or 
code, and by providing unique IP addresses for each instantiation. Each 
home agent runs independently, and is independently configured and 
managed by the subscriber of the virtual private network service, freeing 
the service provider of having to manage and supervise low level 
processing tasks and customization features that the subscribers may 



want. In a representative embodiment, the computing platform comprises a 
router having a general purpose-computing platform. 

French Abstract 

Une unique plate-forme informatique regroupe plusieurs teleagents 
constituant un systeme logiciel de plusieurs multiagents virtuels. Chacun 
des teleagents est responsable d'un seul reseau virtuel prive. La 
plate-forme peut accueillir un nombre quelconque de teleagents par 
plusieurs instanciations de programmes ou de codes de teleagents ou en 
donnant des adresses IP uniques a chaque instanciations. Chaque 
teleagent, qui fonctionne independamment , est configure et gere 
independamment par 1 ' abonne du service du reseau virtuel prive, ce qui 
libere le prestataire de services de la gestion et de la supervision des 
taches de traitement de niveau inferieur et de des operations de 
personnalisation desirees par 1' abonne. Dans une version representative, 
la plate-forme informatique comporte un routeur muni d'une plate-forme de 
calcul d'utilite generale. 
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Detailed Description 

program could be running at one time, each one serving a different 
virtual private network. 

Referring now to Figure 2, the use of the AAA server 28 in performing 
registration request authentication functions for a plurality of mobile 
nodes will be described. For a mobile node to communicate with its peer 
in the mobile IP protocol, it... 

...the home agent for the mobile device. To determine whether the mobile 
node should be registered or not, the home agent needs to perform an 
authentication function for the mobile node . This is to insure that 
only current subscribers are allowed IP network access, and to deny such 
access where the mobile node has not paid. . . 

...serial number type of information uniquely identifying the device) is 
forwarded to the AAA server. The AAA server determines from this number 
whether the mobile node that is seeking registration is authorized or 
not. The AAA in turn sends a reply indicating the status of the 
registration request authentication back to the home agent 62 (that is, 
back to the particular instantiation of the home agent program that sent 
the authentication request to the AAA server ) . The home agent then 
sends back a reply to the registration request message back to the 
foreign agent , which in turn forwards it to the mobile node. If the 
registration request is denied, an error code may be included in the 
reply. Further details on this process are described in the patent 
application of Richard J. . . 

Claim 

... of handing a registration request from a mobile communications device, 
comprising the steps ofproviding a master home agent in a communications 
chassis, said master home agent 

comprising a plurality of software-replicated home agents; 

receiving a registration request from said mobile communications device 

at said communications chassis and forwarding said registration 

request to one of a plurality of software-replicated home agents in said 

communications chassis in accordance with an 

address in said registration request; 

generating a . . . 

. . .message in said one of said plurality 



of software replicated home agents; 

transmitting said registration request authentication message from said 
communications chassis to an accounting, authentication , and 
authorization (AAA) server ; receiving a reply to said registration 
authentication message from said AAA server at 

said one of said plurality of software-replicated home agents; and 
forwarding a reply to said registration request message from said 
communications chassis to. . . 
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English Abstract 

A method and apparatus for accessing devices on a network. A URL 
(Uniform Resource Locator) is utilized on the internet to specifiy the 
application protocol (e.g., http) , the domain name (e.g., www.sun.com), 
and file location (e.g., /users/hcn/index . html) . One or more embodiments 
of the invention provide for accessing devices on a network and the 
internet by utilizing the URL and HTTP. By specifying the desired device 
action in the URL, it is unncessary to create a plug-in or modify the 
browser for the resource. Each device or resource is connected to the 
network and is configured with a small amount of computer code that 
identifies the relevant commands that may be used to control the device. 
Additionally, the resource is configured to operate upon receiving the 
specified commands in the URL address that identifies the resource. 

French Abstract 

L' invention porte sur un precede et un appareil permettant d'acceder aux 
dispositifs d'un reseau. Un URL (Localisateur de ressources universel) 
est utilise sur Internet pour determiner le protocole d ' application (tel 
que http), le nom du domaine (tel que www.sun.com) et 1 ' emplacement du 
fichier (tel que utilisateurs/hcm/index . html) . Une ou plusieurs 
realisations de cette invention permettent d'acceder aux dispositifs d'un 
reseau et a Internet en utilisant l'URL et HTTP. En determinant 1' action 
du dispositif desire dans l'URL, il n'est pas necessaire de creer une 
f onctionnalite ou de modifier le navigateur de la ressource. Chaque 
dispositif ou ressource est relie au reseau et est configure avec une 
faible quantites de codes inf ormatiques qui identifient les commandes 
appropriees qui peuvent etre utilisees pour commander le dispositif. De 



plus, la ressource est configuree de facon a fonctionner lors de la 
reception des commandes specif iques dans l'adresse URL qui identifie la 
ressource . 

Fulltext Availability: 
Detailed Description 

Detailed Description 

more embodiments of the invention. Client 200 communicates with an 
internet service provider (e.g., by requesting a web page or device 
operation), or a proxy 202. Proxy 202 forwards client 200*3 
request to a web server such as web server 1 204 or web server N 208. 
Alternatively, proxy 202 may communicate with an authentication server 

206. Authentication server 206 verifies or authenticates the 
identity and authorization of client 200. For example, authentication 

server 206 may decrypt client 200 f s request or may request client 200 
submit a username and password which is then verified by cross checking 
the submitted information or by... to encrypt and decrypt data). At step 
402, a proxy intercepts the request. At step 404 the proxy determines if 
the cookie transmitted by the client is a valid authentication cookie 
(cookies are small pieces of information that can later be read back from 
a browser; when a web site is accessed, a cookie is... 

...cookies at a later date). Thus, the cookie transmitted by the client and 
is compared to a list of valid cookies to determine if the client has 
the proper authentication , for example. If the cookie is valid, the 
proxy forwards the request . If there is no cookie, the proxy 
generates a random number and a cookie (the cookie and random number 
could be the same) at step 406. Additionally, the proxy remembers the 
current . . . 
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English Abstract 

A global server (106) includes a communications engine for establishing 
a communications link with a client (114a); security means coupled to the 
communications engine for determining client privileges; a servlet host 
engine coupled to the security means for providing to the client (114a), 
based on the client privileges, an applet which enables I/O with a 
secured service (110a); and a keysafe for storing a key which enables 
access to the secured service (110a) . The global server may be coupled to 
multiple sites, wherein each site provides multiple services. Each site 
may be protected by a firewall (116) . Accordingly, the global server 



stores the keys for enabling communication via the firewalls (116) with 
the services (110a) . 

French Abstract 

Un serveur global (106) comprend un moteur de communications permettant 
d'etablir une liaison de communications avec un client (114a), des moyens 
de securisation accouples au moteur de communications, charges d'evaluer 
les privileges des clients, un moteur hote mini-serveur accouple aux 
moyens de securisation pour fournir au client (114a), sur la base des 
privileges accordes au client, une mini-application autorisant I/O avec 
un service securise, et une securite de cle pour la memorisation d'une 
cle autorisant I'acces au service securise. Le serveur global peut etre 
couple a des sites multiples, chaque site fournissant des services 
multiples. Chaque site peut etre protege par un coupe-feu (116). En 
consequence, le serveur global memorise les cles pour autoriser la 
communication, via les coupe-feu (116), avec les services (110a). 

Fulltext Availability: 
Detailed Description 

Detailed Description 

... Otherwise, method 540b returns to step 860 to obtain another request. 
If the servlet host engine 3 86 in step 865 determines that it is 
authorized to perform the client 1 14 user's request, then the servlet 
host engine 386, possibly using servlets . 398, acts as the proxy for the 
client 1 14 to the service engine 490. As proxy , the servlet host 
engine 3 8 6 forwards the service request to the service 1 1 Oa- I 1 
Od for the applet 28 8 and forwards responses to the requesting applet 
288 currently executing on the client 114. Method 540b then returns to 
step 870. 

FIG. 8C is a flowchart illustrating. . . 
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Claims 
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English Abstract 

The present invention includes a method and apparatus for providing 
access control to services within a computer network. More specifically, 
the present invention includes a services management system, or SMS. The 
SMS manages network connections between a series of client systems and a 



router. An access network control server (ANCS) manages the configuration 
of the router. For each network user, the SMS maintains a profile of 
filtering rules. When the user accesses the network, the SMS downloads 
the user's filtering profiles to the ANCS . The ANCS then uses the 
downloaded filtering profiles to reconfigure the router. The router then 
uses the filtering rules to selectively forward IP packets originating 
from the user's host system and directed at the network services. 

French Abstract 

L' invention concerne un procede et un appareil permettant la commande 
d'acces a des services dans un reseau inf ormatigue . L' invention porte, 
plus specif iquement, sur un systeme de gestion de services ou SMS. Le SMS 
gere les connexions de reseaux entre une series de syst ernes clients et un 
routeur. Un serveur de commande de reseau d'acces (ANCS) gere la 
configuration du routeur. Pour chaque utilisateur de reseau, le SMS 
conserve un profil des regies de filtrage. lorsque 1 ' utilisateur accede 
au reseau, le SMS telecharge les profils de filtrage de 1 1 utilisateur en 
direction de l'ANCS. L'ANCS utilise ensuite les profils de filtrage 
telecharges pour reconfigurer le routeur. Le routeur utilise ensuite les 
regies de filtrage pour envoyer select ivement des paquets IP provenant du 
systeme central de 1 1 utilisateur et dirigees vers les services du reseau . 



Fulltext Availability: 
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Detailed Description 

. . . as middlemen between network users and 

applications requiring access control. When a user sends a request to an 
application, the request goes first to the proxy server . The proxy- 
server then authenticates the user's request and either forwards 
the request to the application or discards the request . Access 
control using proxy servers is an effective method that reduces the 
changes that must be made to the applications requiring access control. 
As a result, the use of. . . 
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Detailed Description 

Claims 

Fulltext Word Count: 10010 
English Abstract 

A method and apparatus of using an arbitrary browser and an intermediary 
server (201) to gain access to a computer over a network. A network 
connection is created between the browser and the computer by using the 
intermediary server (201) . The intermediary server (201) receives a 
request from the browser, and in response thereto, causes the computer to 
obtain network connectivity. The intermediate server (201) redirects the 
browser (203) on a network server on the computer. 

French Abstract 

L 1 invention concerne un appareil et un procede utilisant un navigateur 
arbitraire et un serveur intermediaire (201) dans le but d'obtenir 
l'acces a un ordinateur, a travers un reseau. On creee une connexion 
reseau entre le navigateur et 1* ordinateur en utilisant un serveur 
intermediaire (201) . Celui-ci recoit une demande de la part du navigateur 
et, en reponse a cette demande, fait obtenir a 1' ordinateur une connexion 
reseau. Le serveur intermediaire (201) redirige alors le navigateur (203) 
sur un serveur de reseau sur 1 1 ordinateur . 
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amending the claims and to be republished in the 
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Detailed Description 



able to contact the home portal computer system over the public 
service telephone network (PSTN) . 

Referring to Figure 3, the activation protocol begins with the 
intermediary server sending a request to the home portal computer 
system to communicate with the intermediary server (processing block 
301). In one embodiment, the request enumerates the current and pending 
key IDs and supported protocols and versions the 

home portal computer system may select for use in communicating with the 



.NONCEI is a random number greater than or equal to 64 bits (e.g., 128 
bits) . The NONCEI will be used by the home portal computer system to 
authenticate the reply. The information passed to the home portal 
computer system is sent in clear text. 

The intermediary server may contact the home portal computer. . . 
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English Abstract 

Routing table update messsages that include both network-level and 
link-level addresses of nodes of a computer network are exchanged among 
the nodes of the computer network. Further, a routing table maintained by 
a first one of the nodes of the computer network may be updated in 
response to receiving one or more of the update messages. The routing 
table is preferably updated by selecting a next node to a destination 
node of the computer network only if every intermediate node in a path 
from the next node to the destination node satisfies a set of nodal 
conditions required by the first node for its path to the destination 
node and the next node offers the shortest distance to the destination 
node and to every intermediate node along the path from the next node to 
the destination node. The shortest distance to the destination node may 
be determined according to one or more link-state and/or node-state 
metrics regarding communication links and nodes along the path to the 
destination node. Also, the nodal characteristics of the nodes of the 
computer system may be exchanged between neighbor nodes, prior to 
updating the routing table. Preferred paths to one more destination nodes 
may be computed according to these nodal characteristics, for example 



using a Dijkstra shortest-path algorithm. 
French Abstract 

L' invention concerne des messages de mise a jour d'un tableau 
d 1 acheminement contenant des adresses de noeud d'un reseau d 1 ordinateurs 
a la fois au niveau du reseau et au niveau du lien, ces messages etant 
echanges parmi les noeuds du reseau. L 1 invention concerne egalement un 
tableau d' acheminement maintenu par un des noeuds du reseau qui peut etre 
mis a jour apres reception d'un ou plusieurs messages de mise a jour. Ce 
tableau d 1 acheminement est mis a jour, de preference, par la selection 
d'un noeud suivant un noeud destinataire du reseau d 1 ordinateurs 
uniquement si chacun des noeuds intermediaires dans un trajet allant du 
noeud suivant au noeud destinataire repond a un ensemble de conditions 
nodales requises par le premier noeud pour son trajet vers le noeud 
destinataire et si le noeud suivant offre la distance la plus courte vers 
le noeud destinataire et vers chacun des noeuds intermediaires le long du 
trajet allant du noeud suivant au noeud destinataire. La distance la plus 
courte a parcourir jusqu'a atteindre le noeud destinataire peut etre 
determinee selon des parametres d'etat de lien et/ou d'etat de noeud 
selon les liaisons de communication et les noeuds le long du trajet vers 
le noeud destinataire. On peut egalement echanger les caracteristiques 
nodales des noeuds du systeme informatique entre les noeuds voisins, 
avant de mettre a jour le tableau d 1 acheminement . Des trajets privilegies 
a un ou plusieurs noeuds destinataires peuvent etre calcules en fonction 
de ces caracteristiques nodales, notamment grace a un algorithme du plus 
court trajet appele Dijkstra. 

Fulltext Availability: 
Detailed Description 
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... paths to known destinations. For some embodiments, the shortest (or 
preferred) path calculations may be made on the basis of link-cost 
metrics and/or node -cost metrics. Further, AIR permits an IR to act 
as the proxy destination node for all the hosts attached to the IR, or to 
act as an intermediary between senders and receivers of Address 
Resolution Protocol (ARP) requests . These address-mapping services 
allow the hosts attached to the IRs to perceive the ad-hoc internet as a 
single broadcast LAN. Also, AIR updates... 
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English Abstract 

A technique fulfills service requests in a system of computers that 
communicate as nodes within a network. The technique involves sending, in 
response to an initial service request that requestsa service provided by 
a primary server node, a mobile agent from the primary server node to an 
intermediate node. The mobile agent indicates to the intermediate node 
that a secondary server node is capable of providing the service. The 
technique further involves intercepting, at the intermediate node, a 
subsequent service request sent from a client node to the primary server 
node, the subsequent service request requesting the service, and sending 
an instruction from the intermediate node to the secondary server node. 
The instruction instructs the secondary server node to provide the 
service. The technique further includes providing, in response to the 
instruction, the service from the secondary server node to the client 
node . 

French Abstract 

L' invention concerne une technique repondant a des demandes de service 
dans un systeme d ' ordinateurs qui communiquent en tant que noeuds d'un 
reseau. La technique comporte l ! etape consistant a envoyer, en reponse a 
une demande de service initiale pour un service fourni par un noeud de 
serveur primaire, un agent mobile a partir du noeud de serveur primaire 
vers un noeud intermediaire . L 1 agent mobile indique au noeud 
intermediaire qu ' un noeud de serveur secondaire est capable de fournir le 
service. La technique comporte en outre les etapes consistant a 
intercepter, au noeud intermediaire, une demande de service ulterieure ■ 
provenant d'un noeud de client et destinee au noeud de serveur primaire, 
la demande de service ulterieure demandant le service ; et envoyer une 
instruction a partir du noeud intermediaire vers le noeud de serveur 
secondaire. L 1 instruction commande la fourniture du service par le noeud 
de serveur secondaire. La technique comporte en outre l'etape consistant 
a fournir le service, en reponse a 1 1 instruction, a partir du noeud de 
serveur secondaire au noeud de client . 

Fulltext Availability: 

Claims 
Claim 

... of server nodes and 

authorization tokens, and wherein the. method 
further comprises the step of: 
querying the server nodes on the list 
according to the authorization tokens. 

7 A primary server node for responding to service 

request , comprising : 

a memory that stores a program; 

an interface circuit; and 

a controller coupled to the memory andthe 
interface circuit, the controller, when executing 
the program, being capable of: 
receiving, through the interface 

circuit, -an initial service request sent from 
a client node to the primary server node 
through an intermediate node , the service 

request identifying a service provided by the 
primary server node, and 
sending, through the interface circuit, 
a service response to the client node through 
the intermediate node, the service response... 
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English Abstract 

Technique for allowing real time centralized administration of protected 
objects on client computer systems. When a user logs on to a centrally 
administered clients machine on a computer network, an intermediary 
object modification process starts in the background with administrator 
account permissions. Thereafter, whenever the administrative agent on the 
client computer system unsucessfully attempts to perform an operation on 
a protected object for which the logon user lacks sufficient permission 
to perform (218, 220), the agent passes a request (226, 312) to the 
intermediary process to perform the operation. The intermediary process 
is able to perform the desired operation because it has sufficient 
permission to do so even if the administrative agent does not. 

French Abstract 

La presente invention concerne une technique permettant 1 1 administration 
centralisee, en temps reel, d'objets proteges, sur des systemes 
inf ormatiques de clients. Lorsqu'un utilisateur execute la procedure 
d' entree en communication dans une machine client, administree 
centralement , un processus intermediaire de modification d f objet demarre, 
en arriere-plan, avec des autorisations de compte administrateur . Par la 
suite, lorsque l'agent administratif essaie en vain d'executer une 
operation sur un objet protege, sur le systeme informatique d'un client, 
pour lequel 1 1 utilisateur connecte n f a pas d' autorisation suffisante pour 
executer (218, 220) 1' operation, l'agent transmet une requete (226, 312) 
au processus intermediaire de facon a executer 1' operation. Le processus 
intermediaire peut executer l f operation desiree car il dispose d'une 
autorisation suffisante pour ce faire, meme si l'agent administratif ne 
peut le faire. 

Fulltext Availability: 
Claims 

Claim 

. . . process which lacks sufficient permission to perform 
said first operation on said first object, comprising 
the steps of: 

starting an intermediary process on said first 
computer , said intermediary process having sufficient 
permission to perform said first operation on said 

first object; 

said first process communicating a first request 
to said intermediary process to perform said first 
operation on said first object; and 
said intermediary process performing said first 

operation on said first object in response to... a first computer system 
running a WindowsNTe operating system, by an agent 



< ' process of an administration computer system, said 

agent process running on said first computer system and 
lacking sufficient permission to perform said first 
operation on said WindowsNV 1 registry, comprising the 
steps of: 

starting an intermediary service on said first 
computer , said intermediary process having sufficient 
permission to perform said first operation on said 

registry; 

said agent process receiving a command from said 
administration computer system which includes 
performing said first operation on said registry; 
said agent process, in response to said command, 

communicating a request to said intermediary service to 
perform said first operation on said registry; and 
said intermediary service performing said first 
operation on said registry in response to said request... 

. . .8 

process which lacks sufficient permission to perform 
said first operation on said first object, comprising: 
means for starting an intermediary process on 
said first computer , said intermediary process having 
sufficient permission to perform said first operation 
on said first object; 

means in said first process for communicating a 

first request to said intermediary process to perform 

said first operation on said first object; and 

means in said intermediary process for performing 

said first operation on said first object... a first computer system 

running a WindowsNTe operating system, by an agent 

process of an administration computer system, said 

agent process running on said first computer system and 

lacking sufficient permission to perform said first 

operation on said WindowsNTe registry, comprising: 

means f or starting an intermediary service on 

said first computer , said intermediary process having 

sufficient permission to perform said first operation 

on said registry; 

means in said agent process for receiving a 

command from said administration computer system which 

includes performing said first operation on said 

registry; 

means in said agent process for, in response to 
said command, communicating a request to said 

intermediary service to perform said first operation on 
said registry; and 

means in said intermediary service perf orming 
said f irst operation on said registry in. . . 
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When a server receives a service request from a client, identifiers of 
a terminal and of a user are acquired from the service request and 
authority with respect to the service request is uniquely decided from 
the terminal and user identifiers acquired. It is then determined, using 
the authority decided, whether or not to accept the service request. 
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The flowchart has a first step S401, at which a user identifier is 
acquired from a service request . Since a relay server and a client 
are operating one and the same terminal, the processing for acquiring the 
user identifier is capable of being executed securely and efficiently 
without using an authentication server or the like. 

Next, in a case where various settings relating to a series of services 
have been provided by a server, authority is decided. . . 
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.SPECIFICATION the state of link DE (by subtracting the equivalent 
bit-rate of the connection from the currently available capacity) . When 
the call is released later, node A updates the available capacity of 
link AD and requests node D to update the available capacity of link 
DE. 



Decision Delegation 

Consider a request for a connection of a given EBR (equivalent bit 
rate) (omega) from node A to node E. In Figure 8, node A has only one 
available link to node C. Node A can then authorize node C to 
accept or reject the request. The decision would be based on the 
available capacity of link CE. When there are two paths to destination, 
the originating node would authorize the node at the end of the 
link of larger available capacity to make the decision conditional on a 
given threshold 410. In Figure 9, messages are... 

.A to node E as described above. However, since link AC has a higher 
available capacity in comparison with link AD (60 units vs. 40 units ), 



node C would be authorized to handle the AE connection request, if the 
CE available capacity exceeds 40 units. The delegation may reduce the 
call set-up delay and messages... 
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.SPECIFICATION responsive to the call to access entry 512 of table 501 of 
FIG. 9 and determines that PCS telephone 168 is currently registered on 
switching node 110. The mobility management application then requests 

that the call be redirected to switching node 110. The transport 
layer of switching node 108 is responsive to this request to access the 
level 4 routing table 504 of FIG. 5 and to redirect the call to 
switching node 110 using link 163. Entry 515 was added to table 504, when 
switching node 110 requested the authentication information. When the 
call is received at switching node 110, the session layer is responsive 
to the directory telephone number to access entry 901 of... 
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into authentication hierarchical structures with respect to 
authentication information. If the authentication information is stored 
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all switching nodes in that authentication hierarchical structure can 
access the authentication information. An authentication hierarchical 
structure allows any switching node that is part of the authentication 
hierarchical structure to obtain the authentication information from 
another switching node within the authentication hierarchical structure 
if another switching node has the authentication information. Only one 
switching node is required to retain the authentication information 
within a given authentication hierarchical structure. 
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...SPECIFICATION responsive to the call to access entry 512 of table 501 of 
FIG. 9 and determines that PCS telephone 168 is currently registered on 
switching node 110. The mobility management application then requests 

that the call be redirected to switching node 110. The transport 
layer of switching node 108 is responsive to this request to access the 
level 4 routing table 504 of FIG. 5 and to redirect the call to 
switching node 110 using link 163. Entry 515 was added to table 504, when 
switching node 110 requested the authentication information. When the 
call is received at switching node 110, the session layer is responsive 
to the directory telephone number to access entry 901 of . . . 
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Detailed Description 
Claims 

Fulltext Word Count: 9809 

English Abstract 

The invention externalizes an authentication mechanism from an 
application in the form of a login server (204) so that the application 
does not have to authenticate any user. The login server is configured to 
handle authentication. An application server (202), having the 
application, checks (304) if a request (206) has an active and valid 
session; and if there is not a valid session, the application server 
redirects (306) the user to the login server. The login server attempts 
(308) to authenticate the user (200) by using any authentication 
mechanism. Once authenticated, the login server redirects (314) the user 
back to the application server. The application server verifies the 
authentication with the login server; and once verified, the application 
server processes the request. The communications between the two servers 
are independent of user interaction. 

French Abstract 

L* invention concerne 1' extraction d'un mecanisme d ' authentif ication a 

partir d'une application sous la forme d'un serveur de connexion (204) de 

maniere que 1 1 application n f ait aucun utilisateur a authentif ier . Le 

serveur de connexion est configure pour la mise en oeuvre de 

1 1 authentif ication. Un serveur d 1 applications (202) pourvu de 

1 1 application verifie (304) si une demande (206) correspond a une session 

active et valide. Si aucune session n'est valide, le serveur 

d 1 applications reachemine (306) 1 1 utilisateur vers le serveur de 

connexion. Le serveur de connexion essaie (308) d' authentif ier 

1 1 utilisateur (200) en recourant a n'importe quel mecanisme 

d 1 authentif ication . Apres 1 1 authentif ication, le serveur de connexion 

reachemine a nouveau 1 1 utilisateur vers le serveur d ' applications . Le 



serveur d ' applications verifie 1 1 authentif ication directement avec le 
serveur de connexion. Apres la verification, le serveur d' applications 
traite la demande de 1 1 utilisateur . Les communications entre les deux 
serveurs ne sont pas sujettes a une interaction en provenance de 
1 1 utilisateur . 
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Claims 

Claim 

session if said cookie is valid. 

22 A computer program product comprising: 

a computer usable medium having computer readable program code 
embodied therein configured to authenticate requests, said computer 
program 

product comprising : 

computer readable program code configured to cause a computer to 
request information from a first server; 

computer readable program code configured to cause said first server to 

redirect said request to a second server; 

computer readable program code configured to cause said second server 
to authenticate a requestor of said information; and 

computer readable program code configured to cause said second server 
to redirect said request to said first server. 

23 The computer program product of claim 22 further comprising 
computer readable program code configured to cause a computer to create a 
session if said authentication by said second server is successful. 



